CVE CyberSecurity Database News

CVE-2024-45731 - Exploiting Path Traversal in Splunk Enterprise for Windows to Write Files in System32

Poster -

In May 2024, a critical security vulnerability—CVE-2024-45731—was disclosed affecting Splunk Enterprise for Windows. This flaw allows any non-admin, non-power user to write files directly into the Windows System32 directory if the Splunk instance is installed on a different drive than Windows itself. This can open the door to privilege escalation, malware persistence, or system compromise.

This post will break down the vulnerability, explain why it happens, show how it works with code snippets, and reference original advisories and resources. The writing aims to be clear even for readers not deeply technical.

What Is CVE-2024-45731?

Vulnerability: In certain versions of Splunk Enterprise for Windows (before 9.3.1, 9.2.3, and 9.1.6), users without “admin” or “power” roles can abuse the product to make the Windows OS write files in “C:\Windows\System32” if Splunk is on another drive (like “D:\Splunk”).

Severity: High – lets attackers put files in a folder trusted by Windows and loaded with elevated privileges.

Splunk Advisory:
- Splunk Security Advisory SLA-2024-04 (CVE-2024-45731)

References:
- NIST NVD entry

Why Does This Happen? Root Cause

Splunk for Windows runs with user permissions. By design, only “admin” and “power” users are trusted for dangerous actions.

But, when Splunk is installed on a different drive than Windows (ex: Splunk on D:, Windows on C:), the way it handles Windows environment variables plus path handling allows regular Splunk users to make Splunk write anywhere—including the extremely sensitive C:\Windows\System32 directory.

This boils down to path traversal, a common and dangerous bug where user-controlled input (like file paths) aren’t checked well enough.

Exploit Example: Writing to System32 via Lookup Upload

The easiest exploit is to use Splunk’s lookup table files, which can often be uploaded by basic users.

Attacker navigates to ‘Lookup table files’ page via Settings.

3. When uploading a CSV** set the “Destination filename” field to a path with traversal up to C:\Windows\System32.

Exploit Steps

Let’s say your Windows is on C:\ and Splunk is on D:\.

`

../../../../../../../../Windows/System32/exploit.bat

`

*Each "../" tells Splunk to “go up one directory.”* The exact number needed depends on folder depth, but you can try several.

Click upload.

If unpatched, Splunk places your file in C:\Windows\System32, even though you’re just a low-level user.

A small PowerShell script to demonstrate

# Create a sample .bat file payload
$content = '@echo off
echo Evil code executed > C:\Windows\Temp\pwned.txt
'
Set-Content -Path .\evil.csv -Value $content

# In Splunk's lookup upload, use:
# ../../../../../../../../Windows/System32/evil.bat

Bypass AV tools: Some malware targets System32 for hiding.

Any low-level Splunk user becomes a system-level attacker.

Patching and Mitigation

Patch Now:
Update to Splunk 9.3.1, 9.2.3, or 9.1.6 immediately. All vulnerable versions are at risk.

- Splunk Downloads Page

`

../../../../../../../../Windows/System32/malicious.dll

Conclusion

CVE-2024-45731 is a high-impact bug with a simple trigger. Splunk administrators running on Windows with Splunk on a non-system drive should patch ASAP.

Stay Safe!

Original advisories:
- SVD-2024-0603
- NVD: CVE-2024-45731

More resources:
- Splunk Hardening Guidance

Timeline

Published on: 10/14/2024 17:15:11 UTC
Last modified on: 01/07/2025 16:47:42 UTC