This article compiles various technical details on the Internet about the PAN-OS in-field attack vulnerability CVE-2024-3400, including Path Traversal Vulnerability in Cookiesand Command injection vulnerability in Telemetrycombination of exploits, as well as detailed information about the attacker's Post-Exploitation. In addition, Bishop Fox discovered a new command injection vulnerability, so simply disabling the Telemetry service on a vulnerable system is useless.
Because there is no vulnerability recurrence environment, this article is just a note based on information collection. If you are concerned about how to build a recurrence environment, you can refer to it. 2.1 Vulnerability information Links to articles cited in.
0x01. Vulnerability introduction
Volexity Threat Research captured an in-the-wild attack vulnerability exploit targeting PAN-OS devices on 2024-04-10, and Palo Alto Networks issued a security advisory and assigned CVE number CVE-2024-3400 on 2024-04-11.
Although there is only one CVE number, there are actually two vulnerabilities used in the attack in the wild:
SSL VPN Cookie parsing path traversal vulnerability can be used without logging in root Permission to create arbitrary files (empty files)
Telemetry command injection vulnerability, matching the above file name to achieve code execution
The combined use can achieve the effect of remote arbitrary code execution without logging in.
The Telemetry command injection vulnerability relies on the opening of the Telemetry service, but it can also be used in combination with other command injection vulnerabilities that do not require preconditions. For example, Bishop Fox mentioned that they discovered and reported a new command injection vulnerability that does not depend on Telemetry ( There are currently no public details).
0x02. Vulnerability details
2.1 Vulnerability information
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
The biggest obstacle to researching such vulnerabilities is building a reproduction environmentbecause the manufacturer does not allow non-customers to download virtual machine images:-(
In addition to getting the virtual machine image, get root Permissions are also a relatively important operation.Rapid7 The article gives a relatively simple solution:
When the system starts /var No integrity check
Mount the virtual machine disk in /var/appweb/htdocs/unauth/php Insert a PHP WebShell
Compile a SUID-root program with PHP WebShell to root Permission to execute commands
by root Permission modification /etc/passwd Implement SSH Get root Shell
SSL VPN page /ssl-vpn/hipreport.esp Exists when parsing Cookie SESSIDpath traversal vulnerability(Path Traversal Vulnerability), and this page can be accessed without logging in.
After the vulnerability is triggered, if the corresponding file does not exist, it will be root Permissions create an empty file.
2.3 Telemetry command injection
PAN-OS's Telemetry service will periodically send log files in the specified folder back to the Palo Alto Networks server, and here is a related Python file /p2/usr/local/bin/dt_curl existCommand injection vulnerability(Command Injection Vulnerability), the key code is as follows:
pay attention to fname and shell=True
fname That is the local file path, which can be the file created by the previous Cookie SESSID parsing path traversal vulnerability.
pansys(curl_cmd, shell=True, timeout=250) Indicates that it is very likely that the injected parameters will be executed as commands.
pansys final call /p2/lib64/python3.6/site-packages/pansys/pansys.py neutral pansys.dosys()the relevant code is as follows:
shell=True will eventually be passed to subprocess.Popen()that is, create a Shell to execute the command, then pass fname The injected code can then be executed.
In addition, the command injection vulnerability in Telemetry needs to be triggered when the Telemetry function is turned on. The initial security bulletin from Palo Alto Networks also mentioned this precondition, but this condition was removed in subsequent updates.
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both). Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
Is it possible to achieve a similar command injection effect without turning on Telemetry?There are currently no public details, but Bishop Fox stated in the article PAN-OS CVE-2024-3400: Patch Your Palo Alto Firewalls Mentioning that they discovered a new command injection vulnerability that does not rely on Telemetry, PAN updated the vulnerability advisory information after they reported the details to Palo Alto Networks.
We developed bypasses for both recommended interim mitigations. We were able to successfully evade Threat Prevention signatures, and we identified a new command injection vulnerability which is exploitable even when device telemetry is disabled.
Zero-day exploitation of a vulnerability in Palo Alto Global Protect firewall devices that allowed for unauthenticated remote code execution to take place. Initial exploitation was used to create a reverse shell, download tools, exfiltrate configuration data, and move laterally within the network.
update.py Can be obtained from MalwareBazaar Download it, the source code is as follows:
Here is a piece of Python code written /usr/lib/python3.6/site-packages/system.pth。
The purpose of the update.py script is to deploy a backdoor to the following path: /usr/lib/python3.6/site-packages/system.pth. The backdoor, written in Python, starts by an import and its main content is stored as a base64 encoded blob. The .pth extension is used to append additional paths to a Python module. Starting with the release of Python 3.5, lines in .pth files beginning with the text “import” followed by a space or a tab, are executed as described in the official documentation. Therefore, by creating this file, each time any other code on the device attempts to import the module, the malicious code is executed.
Located in Python site-packages under the directory .pth file, which can be used to specify PATH path.For example, if .pth If the file contains the following content, then each line specifying the path will be added to sys.path middle.
And if .pth Lines in the file begin with import If you add a space or tab character at the beginning, the content of this line will be executed as Python code. have to be aware of is,Every time the Python process starts,.pth The content in the file will be parsed, instead of what Volexity said in the original text, it will only be import.pth The file will only be parsed when the module is installed.
The Base64 decoded content is as follows:
Two functions are defined here,protect used to protect /usr/lib/python3.6/site-packages/system.pth,and check The core logic is still Base64 encoded, and the decoded content is as follows:
This code is used to build a backdoor to execute commands sent by the attacker:
Request a page that does not exist, and enter the command to be executed in the request parameters.
Since the page does not exist, relevant information will be written to the log file. /var/log/pan/sslvpn_ngx_error.log
from log file /var/log/pan/sslvpn_ngx_error.log Extract attacker-specified commands
pass os.popen Execute the command and write the command output information to the CSS file /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css
Recovery log file /var/log/pan/sslvpn_ngx_error.log The file content (removing the content with command parameters) and atime and mtime Attributes
Restore CSS files /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css the file contents and atime and mtime Attributes
But here's atime and mtime In fact, it comes from the log file, not the original time attribute of the previously saved CSS file.
An attacker can 15 Read the command execution results through the CSS file within seconds.
3.2 patch cron file
Create a crontab task to periodically pull the command named policy script execution.
3.3 policy file
3.3.1 Version 1
Python bounce shell.
3.3.2 Version 2
Will uname -a The output information is written to the CSS file.
GIPHY App Key not set. Please check settings