Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’

A really cool CVE for attacking palo alto networks PAN-OS was published near the end of last year CVE-2017-15944.  Just last weak Philip Pettersson created a Metasploit Module to take full advantage of this bug and achieve remote code execution!

I recently had the pleasure of leveraging this attack vector on a pentest so I thought I would honor the occasion with a blog post!

Understanding The Bug

Philip has already provided an excellent write up on ExploitDB documenting this bug for attacking palo alto networks PAN-OS so I won’t recreate his efforts.  Read his advisory for a well written and very thorough explanation.

TLDR: An authentication bypass allows us to access php scripts which can be leveraged to create directories and/or modify entries in a reoccurring cron job to execute code and give us a remote shell, awesome!

Detecting Vulnerable Hosts

The advisory from Palo Alto Networks (PAN-SA-2017-0027) tells us that all versions are vulnerable prior to:

6.1.19
7.0.19
7.1.14
8.0.6

We can easily determine if our target is vulnerable with a simple GET request.

https://target/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";

If you see the following message in the response body, the target is vulnerable and you have created an authentication cookie.

@start@Success@end@

As Philip mentions this is not a full authentication bypass but does allow access to certain critical PHP libraries which would otherwise be restricted.  As a proof of concept you can navigate to

/php/utils/debug.php

and see that the once restricted page is now fully accessible.

Compromising The Vulnerable System

Once you have verified that your target is vulnerable, exploiting this system and gaining a remote shell is trivial thanks to Philip.  First update your copy of metasploit as this is a fresh exploit created just this past week!  Now load up the exploit module and enter in the targets IP address and port.


I had mixed results with different payloads but found the ‘cmd/unix/reverse_bash’ payload to be pretty reliable.  Specify your attacking IP and port to listen on and fire when ready!

This was a fun attack vector for me.  I always enjoy when I get to use something other than the same old tried and true exploits to compromise an internal network.  Thanks for reading and hack responsibly!

Share this article

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This

Recent Posts

Subscribe To Our Mailing List

Latest Course

Penetration Testing

Categories

Metasploit

Web Application Hacking


Copyright 2018

css.php

Are You Using the Top 5 Pentest Tools?

Enter your email address to download your copy of our FREE e-book and find out now!

Thank you, now go check your email!!