关联漏洞
标题:Palo Alto Networks GlobalProtect 操作系统命令注入漏洞 (CVE-2020-2034)Description:Palo Alto Networks PAN-OS和GlobalProtect都是美国Palo Alto Networks公司的产品。Palo Alto Networks PAN-OS是一套为其防火墙设备开发的操作系统。GlobalProtect是一套网络防护软件。该软件可提供防火墙监控及威胁预防等功能。 Palo Alto Networks PAN-OS GlobalProtect portal中存在操作系统命令注入漏洞。攻击者可利用该漏洞以root权限执行任意操作系统命令。以下产品及版本受到影响:Pa
Description
Determine the Version Running on the Palo Alto Network Firewall for the Global Protect Portal
介绍
# CVE-2020-2034-POC
Determine the Version Running on the Palo Alto Network Firewall for the Global Protect Portal
Recently a lot of critical vulnerabilities were announced by Palo Alto Networks here:
https://security.paloaltonetworks.com/?severity=CRITICAL&product=PAN-OS&sort=-date
This is a PoC to determine the version used by the firewall, by examining the etag from a curl scan on their favicon, and login.esp
Reference:
CWE-78 Impact:
https://cwe.mitre.org/data/definitions/78
By the Register:
https://www.theregister.com/2020/07/09/palo_alto_fix/
By Vulmon
https://vulmon.com/searchpage?q=paloaltonetworks
Instructions:
Make sure to have latest Python3
Demo:
curl -skI https://example.com/global-protect/login.esp
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
ETag: "5e4c6-2f3g-5b650798"
In order to determine this, we have to do some examination of the etag of some of the URLs, by doing so, we will gather the last 8 characters from the Etag, and it will be in hexadecimal, so converting it to decimal, then from epoch time, to human readable time, we will be able to decipher the version it is used, and check if it is vulnerable or not to this OS Command Injection recently released by Palo Alto Networks.
So from the demo example, we are interested in the last 8:
5b650798
Convert this from hexadecimal to decimal, then from decimal epoch time to human readable.
You will get this:
Sat Aug 4 04:55:36 EEST 2018
Then Check if its vulnerable based on the versions announced.
This will attempt to do this once you run it.
Legal disclaimer
Usage of this tool for testing targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
文件快照
[4.0K] /data/pocs/695be35d2e8b86edf34e71b0c331f8ba9857791a
├── [1.1K] LICENSE.md
├── [7.6K] panos-scanner.py
├── [1.9K] README.md
└── [3.7K] version-table.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。