Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
A really cool CVE for attacking palo alto networks PAN-OS was published near the end of last year CVE-2017-15944. Just last weak Philip Pettersson created a Metasploit Module to take full advantage of this bug and achieve remote code execution!
I recently had the pleasure of leveraging this attack vector on a pentest so I thought I would honor the occasion with a blog post!
Understanding The Bug
Philip has already provided an excellent write up on ExploitDB documenting this bug for attacking palo alto networks PAN-OS so I won’t recreate his efforts. Read his advisory for a well written and very thorough explanation.
TLDR: An authentication bypass allows us to access php scripts which can be leveraged to create directories and/or modify entries in a reoccurring cron job to execute code and give us a remote shell, awesome!
Detecting Vulnerable Hosts
The advisory from Palo Alto Networks (PAN-SA-2017-0027) tells us that all versions are vulnerable prior to:
6.1.19
7.0.19
7.1.14
8.0.6
We can easily determine if our target is vulnerable with a simple GET request.
https://target/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";
If you see the following message in the response body, the target is vulnerable and you have created an authentication cookie.
@start@Success@end@
As Philip mentions this is not a full authentication bypass but does allow access to certain critical PHP libraries which would otherwise be restricted. As a proof of concept you can navigate to
/php/utils/debug.php
and see that the once restricted page is now fully accessible.
Compromising The Vulnerable System
Once you have verified that your target is vulnerable, exploiting this system and gaining a remote shell is trivial thanks to Philip. First update your copy of metasploit as this is a fresh exploit created just this past week! Now load up the exploit module and enter in the targets IP address and port.
I had mixed results with different payloads but found the ‘cmd/unix/reverse_bash’ payload to be pretty reliable. Specify your attacking IP and port to listen on and fire when ready!
This was a fun attack vector for me. I always enjoy when I get to use something other than the same old tried and true exploits to compromise an internal network. Thanks for reading and hack responsibly!
Share this article
Share This
Recent Posts
- Playing With the New Burp Suite REST API
- Burp Suite 2.0 Beta Review
- Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
- GPG Errors While Updating Kali Linux
- Installing Kali NetHunter on HTC Nexus 9
Subscribe To Our Mailing List
The Ultimate Burp Suite Training Program
Learn Network Penetration Testing
Penetration Testing
Categories
- AWBS
- Burp Suite
- Definitions
- Forensics and Incident Response
- Information Gathering
- Metasploit
- Penetration Testing Tutorials
- Phishing
- Presentations
- Tools
- Web Applications
- Wireless