U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Attackers can siphon data from Splunk Enterprise if an authenticated user visits a malicious webpage

Splunk has fixed the security issue in the JavaScript implementation, tracked as CVE-2017-5607, that can be exploited to siphon data. Splunk has fixed the security issue in the JavaScript implementation, tracked as CVE-2017-5607, that leaks user information. Splunk provides the leading platform for Operational Intelligence that is used to search, monitor, analyze and visualize machine data. Splunk […]

Attackers can siphon data from Splunk Enterprise if an authenticated user visits a malicious webpage

Splunk has fixed the security issue in the JavaScript implementation, tracked as CVE-2017-5607, that can be exploited to siphon data.

Splunk has fixed the security issue in the JavaScript implementation, tracked as CVE-2017-5607, that leaks user information. Splunk provides the leading platform for Operational Intelligence that is used to search, monitor, analyze and visualize machine data. Splunk Enterprise, collects and analyzes high volumes of machine-generated data.

Splunk

The security issue could be exploited by an attacker tricking an authenticated user into visiting a malicious Web page. The bug leaks the username, and whether that user has enabled remote access, allowing an attacker to target the user with a spear phishing attack to steal the user’s credentials.

“Attackers can siphon information from Splunk Enterprise if an authenticated Splunk user visits a malicious webpage. Some useful data gained is the currently logged in username and if remote user setting is enabled.” reads the advisory published at Full Disclosure. “After, the username can be use to Phish or Brute Force Splunk Enterprise login. Additional information stolen may aid in furthering attacks.

Root cause is the global Window JS variable assignment of config?autoload=1 ‘$C’.”

The problem resides in the way Splunk uses Object prototypes in JavaScript. The Object prototype is an Object that every other object inherits from in JavaScript.

“To steal information we simply can define a function to be called when the ‘$C’ JS property is “set” on webpage, for example. Object.defineProperty( Object.prototype, “$C”, { set:function(val){…” continues the advisory,

Below the proof-of-concept JavaScript code published in the advisory:

<script>
Object.defineProperty( Object.prototype, “$C”, { set:function(val){
//prompt(“Splunk Timed out:\nPlease Login to Splunk\nUsername:
“+val.USERNAME, “Password”)
for(var i in val){
alert(“”+i+” “+val[i]);
}
}
});
</script>

Affected Splunk Enterprise versions are:

  • 6.5.x before 6.5.3
  • 6.4.x before 6.4.6
  • 6.3.x before 6.3.10
  • 6.2.x before 6.2.13.1
  • 6.1.x before 6.1.13
  • 6.0.x before 6.0.14
  • 5.0.x before 5.0.18 and Splunk Light before 6.5.2

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hacking, CVE-2017-5607)