Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’

A really cool CVE for attacking palo alto networks PAN-OS was published near the end of last year CVE-2017-15944.  Just last weak Philip Pettersson created a Metasploit Module to take full advantage of this bug and achieve remote code execution!

I recently had the pleasure of leveraging this attack vector on a pentest so I thought I would honor the occasion with a blog post!

Understanding The Bug

Philip has already provided an excellent write up on ExploitDB documenting this bug for attacking palo alto networks PAN-OS so I won’t recreate his efforts.  Read his advisory for a well written and very thorough explanation.

TLDR: An authentication bypass allows us to access php scripts which can be leveraged to create directories and/or modify entries in a reoccurring cron job to execute code and give us a remote shell, awesome!

Detecting Vulnerable Hosts

The advisory from Palo Alto Networks (PAN-SA-2017-0027) tells us that all versions are vulnerable prior to:

6.1.19
7.0.19
7.1.14
8.0.6

We can easily determine if our target is vulnerable with a simple GET request.

https://target/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";

If you see the following message in the response body, the target is vulnerable and you have created an authentication cookie.

@start@Success@end@

As Philip mentions this is not a full authentication bypass but does allow access to certain critical PHP libraries which would otherwise be restricted.  As a proof of concept you can navigate to

/php/utils/debug.php

and see that the once restricted page is now fully accessible.

Compromising The Vulnerable System

Once you have verified that your target is vulnerable, exploiting this system and gaining a remote shell is trivial thanks to Philip.  First update your copy of metasploit as this is a fresh exploit created just this past week!  Now load up the exploit module and enter in the targets IP address and port.

I had mixed results with different payloads but found the ‘cmd/unix/reverse_bash’ payload to be pretty reliable.  Specify your attacking IP and port to listen on and fire when ready!

This was a fun attack vector for me.  I always enjoy when I get to use something other than the same old tried and true exploits to compromise an internal network.  Thanks for reading and hack responsibly!

The post Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’ appeared first on Pentest Geek.

Print Share Comment Cite Upload Translate

APA

() » Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’. Retrieved from https://www.truth.cx/2018/05/11/attacking-palo-alto-networks-pan-os-readsessionvarsfromfile/.

MLA

" » Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’." - , https://www.truth.cx/2018/05/11/attacking-palo-alto-networks-pan-os-readsessionvarsfromfile/

HARVARD

» Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’., viewed ,

VANCOUVER

- » Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2018/05/11/attacking-palo-alto-networks-pan-os-readsessionvarsfromfile/

CHICAGO

" » Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’." - Accessed . https://www.truth.cx/2018/05/11/attacking-palo-alto-networks-pan-os-readsessionvarsfromfile/

IEEE

" » Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’." [Online]. Available: https://www.truth.cx/2018/05/11/attacking-palo-alto-networks-pan-os-readsessionvarsfromfile/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <p>A really cool CVE for attacking palo alto networks PAN-OS was published near the end of last year <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15944" title="">CVE-2017-15944</a>.  Just last weak Philip Pettersson created a <a href="https://www.rapid7.com/db/modules/exploit/linux/http/panos_readsessionvars" title="">Metasploit Module</a> to take full advantage of this bug and achieve remote code execution!<br /> <span id="more-7595"></span><br /> I recently had the pleasure of leveraging this attack vector on a pentest so I thought I would honor the occasion with a blog post!</p> <h3 class="lined">Understanding The Bug</h3> <p>Philip has already provided an <a href="https://www.exploit-db.com/exploits/43342/" title="">excellent write up</a> on ExploitDB documenting this bug for attacking palo alto networks PAN-OS so I won’t recreate his efforts.  Read his advisory for a well written and very thorough explanation.</p> <p><strong>TLDR:</strong> An authentication bypass allows us to access php scripts which can be leveraged to create directories and/or modify entries in a reoccurring cron job to execute code and give us a remote shell, awesome!</p> <h3 class="lined">Detecting Vulnerable Hosts</h3> <p>The advisory from Palo Alto Networks (<a href="https://securityadvisories.paloaltonetworks.com/Home/Detail/102" title="">PAN-SA-2017-0027</a>) tells us that all versions are vulnerable prior to:</p> <p>6.1.19<br /> 7.0.19<br /> 7.1.14<br /> 8.0.6 </p> <p>We can easily determine if our target is vulnerable with a simple GET request.</p> <pre class="code">https://target/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";</pre> <p>If you see the following message in the response body, the target is vulnerable and you have created an authentication cookie.</p> <pre class="code">@start@Success@end@</pre> <p>As Philip mentions this is not a full authentication bypass but does allow access to certain critical PHP libraries which would otherwise be restricted.  As a proof of concept you can navigate to</p> <pre class="code">/php/utils/debug.php</pre> <p>and see that the once restricted page is now fully accessible.</p> <p><a href="https://www.pentestgeek.com/wp-content/uploads/2018/05/restricted_page_access.png" data-rel="lightbox-image-0" data-rl_title="" data-rl_caption="" title=""><img src="https://www.pentestgeek.com/wp-content/uploads/2018/05/restricted_page_access.png" alt="" class="thumbnail aligncenter size-full wp-image-7605" /></a></p> <h3 class="lined">Compromising The Vulnerable System</h3> <div class="row"> <div class="col-sm-5"> <a href="https://www.pentestgeek.com/wp-content/uploads/2018/05/metasploit_options.png" data-rel="lightbox-image-1" data-rl_title="" data-rl_caption="" title=""><img src="https://www.pentestgeek.com/wp-content/uploads/2018/05/metasploit_options.png" alt="" class="thumbnail aligncenter size-full wp-image-7607" /></a></div> <div class="col-sm-7"> <p>Once you have verified that your target is vulnerable, exploiting this system and gaining a remote shell is trivial thanks to Philip.  First update your copy of metasploit as this is a fresh exploit created just this past week!  Now load up the exploit module and enter in the targets IP address and port.</p> </div> </div> <div class="row"> <div class="col-sm-5"> <a href="https://www.pentestgeek.com/wp-content/uploads/2018/05/metasploit_exploit_results_1.png" data-rel="lightbox-image-2" data-rl_title="" data-rl_caption="" title=""><img src="https://www.pentestgeek.com/wp-content/uploads/2018/05/metasploit_exploit_results_1.png" alt="" class="thumbnail aligncenter size-full wp-image-7613" /></a><br /> <a href="https://www.pentestgeek.com/wp-content/uploads/2018/05/metasploit_exploit_results_2.png" data-rel="lightbox-image-3" data-rl_title="" data-rl_caption="" title=""><img src="https://www.pentestgeek.com/wp-content/uploads/2018/05/metasploit_exploit_results_2.png" alt="" class="thumbnail aligncenter size-full wp-image-7614" /></a> </div> <div class="col-sm-7"> <p>I had mixed results with different payloads but found the ‘cmd/unix/reverse_bash’ payload to be pretty reliable.  Specify your attacking IP and port to listen on and fire when ready!</p> </div> </div> <p>This was a fun attack vector for me.  I always enjoy when I get to use something other than the same old tried and true exploits to compromise an internal network.  Thanks for reading and hack responsibly!</p> <span class="et_bloom_bottom_trigger"></span><p>The post <a rel="nofollow" href="https://www.pentestgeek.com/penetration-testing/attacking-palo-alto-networks-pan-os">Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’</a> appeared first on <a rel="nofollow" href="https://www.pentestgeek.com/">Pentest Geek</a>.</p> First name:

Last name: