============================================================================================================================================= | # Title : Splunk Enterprise 9.1.5 9.2.2 vulnerability Checker | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://www.splunk.com/ | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/214134/ & CVE-2024-36985 [+] Summary : This PHP script is a defensive vulnerability checker for CVE-2024-36985 affecting Splunk Enterprise. It authenticates to a Splunk instance using provided credentials, retrieves the installed Splunk version, and determines whether it falls within the vulnerable ranges. The script then enumerates locally installed applications to verify the presence and enabled status of the splunk_archiver app, which is a required condition for exploitation. No commands are executed and no exploitation logic is included; the script is strictly designed for detection and assessment purposes to help security teams identify potentially vulnerable systems in a safe and controlled manner. [+] POC: php poc.php baseUrl = rtrim($baseUrl, '/'); $this->username = $username; $this->password = $password; } private function request($url, $post = null, $headers = []) { $ch = curl_init($url); curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false, CURLOPT_HTTPHEADER => $headers, CURLOPT_COOKIE => $this->cookie, ]); if ($post !== null) { curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); } $response = curl_exec($ch); $info = curl_getinfo($ch); curl_close($ch); return [$response, $info]; } public function login(): bool { [$res, $info] = $this->request( $this->baseUrl . '/en-US/account/login', http_build_query([ 'username' => $this->username, 'password' => $this->password ]) ); if (isset($info['request_header'])) { $this->cookie = $info['request_header']; } return $info['http_code'] === 200; } public function getVersion(): ?string { [$res] = $this->request( $this->baseUrl . '/en-US/services/server/info?output_mode=json' ); $json = json_decode($res, true); return $json['entry'][0]['content']['version'] ?? null; } public function getApps(): array { [$res] = $this->request( $this->baseUrl . '/en-US/services/apps/local?output_mode=json' ); $apps = []; $json = json_decode($res, true); foreach ($json['entry'] ?? [] as $app) { $apps[$app['name']] = [ 'enabled' => $app['content']['disabled'] === false ]; } return $apps; } public function isVulnerable(string $version): bool { return ( version_compare($version, '9.0.10', '<') || (version_compare($version, '9.1.0', '>=') && version_compare($version, '9.1.5', '<')) || (version_compare($version, '9.2.0', '>=') && version_compare($version, '9.2.2', '<')) ); } } $target = 'https://127.0.0.1:8000'; $username = 'admin'; $password = 'password'; $checker = new SplunkChecker($target, $username, $password); if (!$checker->login()) { die("[!] Login failed\n"); } $version = $checker->getVersion(); if (!$version) { die("[!] Not a Splunk instance\n"); } echo "[*] Splunk Version: {$version}\n"; if (!$checker->isVulnerable($version)) { die("[+] SAFE: Non-vulnerable version detected\n"); } $apps = $checker->getApps(); if (!isset($apps['splunk_archiver'])) { die("[!] DETECTED: Vulnerable version, but splunk_archiver not installed\n"); } if ($apps['splunk_archiver']['enabled'] !== true) { die("[!] DETECTED: Vulnerable version, splunk_archiver installed but disabled\n"); } echo "[!!!] APPEARS VULNERABLE: Version + splunk_archiver enabled\n"; Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================