CVE-2024-36991 PoC — Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows

Source

Associated Vulnerability

Description

This binary POC automates the exploitation of CVE-2024-36991 by sending crafted curl requests to a vulnerable Splunk instance. It retrieves sensitive files and saves them locally for further analysis. The script is modular, allowing users to target specific file categories (e.g., credentials, logs, configurations).

Readme

# CVE-2024-36991-Tool
This binary POC automates the exploitation of CVE-2024-36991 by sending crafted curl requests to a vulnerable Splunk instance. It retrieves sensitive files and saves them locally for further analysis. The script is modular, allowing users to target specific file categories (e.g., credentials, logs, configurations). This tool was forked from https://github.com/jaytiwari05/CVE-2024-36991 then modified to pull files and store them, for use by Team ISP1337Hackers. 

## Vulnerability Summary
CVE-2024-36991 is a critical path traversal vulnerability affecting Splunk Enterprise on Windows systems (versions below 9.2.2, 9.1.5, and 9.0.10). The flaw allows unauthenticated attackers to read arbitrary files on the system by exploiting improper handling of drive letters in Windows paths via the /modules/messaging/ endpoint. This can expose sensitive files like /etc/passwd, splunk.secret, and configuration files.

CVSS Score: 7.5 (High Severity)

Exploitability: Remote, Unauthenticated

Impact: Arbitrary File Read

## Overview
This binary automates the exploitation of CVE-2024-36991 by sending crafted curl requests to a vulnerable Splunk instance. It retrieves sensitive files and saves them locally for further analysis. The script is modular, allowing users to target specific file categories (e.g., credentials, logs, configurations).

## Key Features:
Targeted File Retrieval: Fetches files like passwd, splunk.secret, logs, and configuration files.
Modular Design: Organized into sections for easy targeting (e.g., credentials, logs, system files).
Output Saving: Automatically saves retrieved files to disk for offline analysis.
Usage Instructions
Python Script
Prerequisites:

Python 3.x installed.
curl installed on the system.
A vulnerable Splunk Enterprise instance (Windows).

Running the Exploit:

./CVE-2024-36991 -u <TARGET_URL> -s <SECTION_NUMBER>
<TARGET_URL>: Base URL of the vulnerable Splunk instance (e.g., https://splunk.example.com).
<SECTION_NUMBER>: Choose a section (1-5) to target specific file types:
1: Credentials & Secrets (e.g., passwd, splunk.secret).
2: Configuration Files (e.g., web.conf, inputs.conf).
3: Logs & History (e.g., splunkd.log, audit.log).
4: System & Service Files (e.g., splunk.exe, server.conf).
5: Apps & Custom Scripts (e.g., Splunk TA binaries).

Example:

./CVE-2024-36991 -u https://vulnerable-splunk.com -s 1

Output:
The script prints the retrieved file contents to the console.
Files are saved locally with their original names (e.g., passwd, splunk.secret).

## Binary PoC Exploit
A pre-compiled binary (CVE-2024-36991) is provided for Linux (ELF 64-bit LSB executable).

Usage:

Ensure the binary has execute permissions:

chmod +x CVE-2024-36991

Run the binary:

./CVE-2024-36991 -u <TARGET_URL> -s <SECTION_NUMBER>
<TARGET_URL>: Base URL of the vulnerable Splunk instance.
<SECTION_NUMBER>: Section to target (1-5, as above).

Example:

./CVE-2024-36991 -u https://vulnerable-splunk.com -s 1

## Mitigation
Upgrade Splunk Enterprise to patched versions (9.2.2, 9.1.5, or 9.0.10).
Disable Splunk Web if not required.

## Disclaimer
This tool is for educational and authorized testing purposes only. Unauthorized use against systems without explicit permission is illegal. The developers assume no liability for misuse.

File Snapshot

 [4.0K]  /data/pocs/d71933a0d8e9d674283f14408cba99185a80f899
├── [7.6M]  CVE-2024-36991
└── [3.2K]  README.md

0 directories, 2 files

Remarks