CVE-2024-3400 RCE Test Script

Overview

This Python script is designed to test for a remote code execution (RCE) vulnerability, specifically CVE-2024-3400, which affects certain Palo Alto Networks GlobalProtect portals. The vulnerability allows unauthorized command execution via cookie manipulation.

The script sends a benign HTTP GET request to a list of specified URLs with a cookie payload that includes a base64-encoded command (echo test). If the command executes, it indicates potential vulnerability.

How It Works

Components

• Base64 Encoding: Commands are encoded in base64 to simulate how an attacker might obscure malicious commands to bypass basic security filters.
• HTTP Requests: The script uses the requests Python library to send HTTP GET requests with the malicious cookie.
• File Handling: It reads a list of target URLs from an input file and writes the test results to an output file.

Steps

1. Command Encoding: The echo test command is encoded into base64.
2. Cookie Crafting: A cookie payload is crafted with the encoded command inserted in a way that would be executed if the system is vulnerable.
3. Request Sending: For each URL, the script sends an HTTP request with the crafted cookie.
4. Response Analysis: The script checks the HTTP response to see if the test command's output appears, indicating command execution.
5. Result Logging: Results are logged to an output file, noting whether each URL is potentially vulnerable.

Usage

Run the script from the command line by providing the input file (containing URLs to test) and the output file (to store results):

python script_name.py input_file.txt output_file.txt

Replace script_name.py with your script's filename, input_file.txt with your input file, and output_file.txt with your desired output file.

Dependencies

• Python 3.x
• requests library (install via pip install requests)

Articles and References

• Watchtowr Labs Analysis on CVE-2024-3400 This article provides an in-depth look at the CVE-2024-3400 vulnerability, detailing how it can be exploited and its potential impact.

• LinkedIn Post by Justin Elze Justin Elze discusses the significance of the CVE-2024-3400 discovery and its implications for security in enterprise environments.

Disclaimer

This script is for educational and testing purposes only. Use it responsibly. Executing this script without authorization on systems you do not own or have permission to test is unethical and illegal. Always ensure compliance with all applicable laws and regulations.