Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’

A really cool CVE for attacking palo alto networks PAN-OS was published near the end of last year CVE-2017-15944.  Just last weak Philip Pettersson created a Metasploit Module to take full advantage of this bug and achieve remote code execution!

I recently had the pleasure of leveraging this attack vector on a pentest so I thought I would honor the occasion with a blog post!

Understanding The Bug

Philip has already provided an excellent write up on ExploitDB documenting this bug for attacking palo alto networks PAN-OS so I won’t recreate his efforts.  Read his advisory for a well written and very thorough explanation.

TLDR: An authentication bypass allows us to access php scripts which can be leveraged to create directories and/or modify entries in a reoccurring cron job to execute code and give us a remote shell, awesome!

Detecting Vulnerable Hosts

The advisory from Palo Alto Networks (PAN-SA-2017-0027) tells us that all versions are vulnerable prior to:

6.1.19
7.0.19
7.1.14
8.0.6

We can easily determine if our target is vulnerable with a simple GET request.

https://target/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";

If you see the following message in the response body, the target is vulnerable and you have created an authentication cookie.

@start@Success@end@

As Philip mentions this is not a full authentication bypass but does allow access to certain critical PHP libraries which would otherwise be restricted.  As a proof of concept you can navigate to

/php/utils/debug.php

and see that the once restricted page is now fully accessible.

Compromising The Vulnerable System

This was a fun attack vector for me.  I always enjoy when I get to use something other than the same old tried and true exploits to compromise an internal network.  Thanks for reading and hack responsibly!

Share this article