Attacking Palo Alto Networks PAN-OS 'readSessionVarsFromFile()'

Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’

A really cool CVE for attacking palo alto networks PAN-OS was published near the end of last year CVE-2017-15944.  Just last weak Philip Pettersson created a Metasploit Module to take full advantage of this bug and achieve remote code execution!

I recently had the pleasure of leveraging this attack vector on a pentest so I thought I would honor the occasion with a blog post!

Understanding The Bug

Philip has already provided an excellent write up on ExploitDB documenting this bug for attacking palo alto networks PAN-OS so I won’t recreate his efforts.  Read his advisory for a well written and very thorough explanation.

TLDR: An authentication bypass allows us to access php scripts which can be leveraged to create directories and/or modify entries in a reoccurring cron job to execute code and give us a remote shell, awesome!

Detecting Vulnerable Hosts

The advisory from Palo Alto Networks (PAN-SA-2017-0027) tells us that all versions are vulnerable prior to:

6.1.19
7.0.19
7.1.14
8.0.6

We can easily determine if our target is vulnerable with a simple GET request.

https://target/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";

If you see the following message in the response body, the target is vulnerable and you have created an authentication cookie.

@start@Success@end@

As Philip mentions this is not a full authentication bypass but does allow access to certain critical PHP libraries which would otherwise be restricted.  As a proof of concept you can navigate to

/php/utils/debug.php

and see that the once restricted page is now fully accessible.

Compromising The Vulnerable System

Once you have verified that your target is vulnerable, exploiting this system and gaining a remote shell is trivial thanks to Philip.  First update your copy of metasploit as this is a fresh exploit created just this past week!  Now load up the exploit module and enter in the targets IP address and port.


I had mixed results with different payloads but found the ‘cmd/unix/reverse_bash’ payload to be pretty reliable.  Specify your attacking IP and port to listen on and fire when ready!

This was a fun attack vector for me.  I always enjoy when I get to use something other than the same old tried and true exploits to compromise an internal network.  Thanks for reading and hack responsibly!

Share this article

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This

Recent Posts

Subscribe To Our Mailing List

Become a Web App Penetration Tester

Penetration Testing

Categories

Metasploit

Web Application Hacking


Copyright 2018

css.php

Are You Using the Top 5 Pentest Tools?

Enter your email address to download your copy of our FREE e-book and find out now!

Thank you, now go check your email!!