Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-36991 PoC — Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows

Source
https://github.com/jaytiwari05/CVE-2024-36991
Associated Vulnerability
Title:Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows (CVE-2024-36991)
Description:In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
Description
Critical Splunk Vulnerability CVE-2024-36991: Patch Now to Prevent Arbitrary File Reads
Readme
# Splunk Path Traversal Exploit (CVE-2024-36991)

<img width="1671" alt="Screenshot 2025-03-30 at 8 18 32 PM" src="https://github.com/user-attachments/assets/d4707d40-08b4-482e-891e-4cd3ad424a23" />


## Description
This is a Proof-of-Concept (PoC) exploit script for **CVE-2024-36991**, a path traversal vulnerability affecting **Splunk Enterprise** on Windows versions below:
- **9.2.2**
- **9.1.5**
- **9.0.10**

The vulnerability allows unauthenticated attackers to access sensitive files on the server by exploiting a path traversal flaw in the Splunk web interface.

**Severity:** Critical  
**Impact:** Arbitrary File Read

---

## ⚠️ Vulnerable Versions
- Splunk Enterprise < 9.2.2
- Splunk Enterprise < 9.1.5
- Splunk Enterprise < 9.0.10

---

## 💡 Usage
To run the exploit, use the following commands:
<img width="1670" alt="Screenshot 2025-03-30 at 8 17 55 PM" src="https://github.com/user-attachments/assets/0a4007ea-45d7-463c-9ef5-0f8b8a322392" />

```bash
# Using Python3
python3 exploit.py -u http://victim.com -s 1

# Running directly
./exploit.py -u http://victim.com -s 1
```

### Parameters:
- `-u`, `--url`: The base URL of the target Splunk server.
- `-s`, `--section`: Select the section to enumerate (1-5):

### Sections:
1. **Credentials & Secrets:**
    - `/etc/passwd`
    - `/etc/auth/splunk.secret`
    - `/etc/auth/server.pem`
    - `/var/run/splunk/session`
    - `/etc/system/local/authentication.conf`

2. **Configuration Files:**
    - `/etc/system/local/web.conf`
    - `/etc/system/local/inputs.conf`

3. **Logs & History:**
    - `/var/log/splunk/splunkd.log`
    - `/var/log/splunk/audit.log`
    - `/var/log/splunk/metrics.log`
    - `/var/log/splunk/searches.log`
    - `/var/run/splunk/dispatch`

4. **System & Service Files:**
    - `/bin/splunk.exe`
    - `/bin/splunkd.exe`
    - `/etc/system/default/server.conf`
    - `/etc/system/default/user-seed.conf`
    - `/var/lib/splunk/persistentstorage.db`

5. **Apps & Custom Scripts:**
    - `/etc/apps/Splunk_TA_windows/bin`
    - `/etc/apps/Splunk_TA_nix/bin`
    - `/etc/apps/SplunkForwarder/local`
    - `/etc/apps/Splunk_SA_CIM/local`

---

## 🛡️ Mitigation
To protect your Splunk server:
- Upgrade to **Splunk Enterprise 9.2.2, 9.1.5, or 9.0.10** or later.
- Apply proper access controls and firewall rules.

---

## ⚠️ Disclaimer
This exploit is for educational and authorized penetration testing purposes only. Unauthorized use is illegal and unethical. The author takes no responsibility for misuse.
File Snapshot

 [4.0K]  /data/pocs/91bc2942fa1c46ef12eb187725e9a789573f4401
├── [5.5K]  exploit.py
└── [2.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →