Vulnerabilities > CVE-2016-9149 - Data Processing Errors vulnerability in Paloaltonetworks Pan-Os

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
paloaltonetworks
CWE-19
nessus
NVD
Published: 2016-11-19
Updated: 2020-02-17

Summary

The Addresses Object parser in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 mishandles single quote characters, which allows remote authenticated users to conduct XPath injection attacks via a crafted string.

Vulnerable Configurations

Part Description Count
OS
Paloaltonetworks
87

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]

Nessus

NASL familyPalo Alto Local Security Checks
NASL idPALO_ALTO_PAN-SA-2016-0035.NASL
descriptionThe version of Palo Alto Networks PAN-OS running on the remote host is 5.0.x prior to 5.0.20, 5.1.x prior to 5.1.13, 6.0.x prior to 6.0.15, 6.1.x prior to 6.1.15, 7.0.x prior to 7.0.11, or 7.1.x prior to 7.1.6. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the Address Object Parsing functionality due to a failure to properly escape single quote characters. An unauthenticated, remote attacker can exploit this to inject XPath content, resulting in the disclosure of sensitive information. (CVE-2016-9149) - An off-by-one buffer overflow condition exists in the management web interface within the mprItoa() function. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9150) - An elevation of privilege vulnerability exists in /usr/local/bin/root_trace due to improper validation of the PYTHONPATH environment variable. A local attacker who has shell access can exploit this vulnerability, by manipulating environment variables, to execute code with root privileges. Note that this vulnerability exists because of an incomplete fix for CVE-2016-1712. (CVE-2016-9151) - A cross-site scripting (XSS) vulnerability exists in the Captive Portal due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user
last seen2020-06-01
modified2020-06-02
plugin id95478
published2016-12-02
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/95478
titlePalo Alto Networks PAN-OS 5.0.x < 5.0.20 / 5.1.x < 5.1.13 / 6.0.x < 6.0.15 / 6.1.x < 6.1.15 / 7.0.x < 7.0.11 / 7.1.x < 7.1.6 Multiple Vulnerabilities (PAN-SA-2016-0033 / PAN-SA-2016-0034 / PAN-SA-2016-0035 / PAN-SA-2016-0037)
code
#
# (C) Tenable Network Security, Inc.
#

if (!defined_func("nasl_level") || nasl_level() < 6000) exit(0, "Nessus older than 6.0.x");

include("compat.inc");

if (description)
{
  script_id(95478);
  script_version("1.7");
  script_cvs_date("Date: 2019/01/02 11:18:37");

  script_cve_id(
    "CVE-2016-9149",
    "CVE-2016-9150",
    "CVE-2016-9151"
  );
  script_bugtraq_id(
    94199,
    94399,
    94400,
    94401
  );

  script_name(english:"Palo Alto Networks PAN-OS 5.0.x < 5.0.20 / 5.1.x < 5.1.13 / 6.0.x < 6.0.15 / 6.1.x < 6.1.15 / 7.0.x < 7.0.11 / 7.1.x < 7.1.6 Multiple Vulnerabilities (PAN-SA-2016-0033 / PAN-SA-2016-0034 / PAN-SA-2016-0035 / PAN-SA-2016-0037)");
  script_summary(english:"Checks the PAN-OS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description",value:
"The version of Palo Alto Networks PAN-OS running on the remote host is
5.0.x prior to 5.0.20, 5.1.x prior to 5.1.13, 6.0.x prior to 6.0.15,
6.1.x prior to 6.1.15, 7.0.x prior to 7.0.11, or 7.1.x prior to 7.1.6.
It is, therefore, affected by multiple vulnerabilities :

  - An information disclosure vulnerability exists in the
    Address Object Parsing functionality due to a failure to
    properly escape single quote characters. An
    unauthenticated, remote attacker can exploit this to
    inject XPath content, resulting in the disclosure of
    sensitive information. (CVE-2016-9149)

  - An off-by-one buffer overflow condition exists in the
    management web interface within the mprItoa() function.
    An unauthenticated, remote attacker can exploit this,
    via a specially crafted request, to cause a denial of
    service condition or the execution of arbitrary code.
    (CVE-2016-9150)

  - An elevation of privilege vulnerability exists in
    /usr/local/bin/root_trace due to improper validation of
    the PYTHONPATH environment variable. A local attacker
    who has shell access can exploit this vulnerability, by
    manipulating environment variables, to execute code with
    root privileges. Note that this vulnerability exists
    because of an incomplete fix for CVE-2016-1712.
    (CVE-2016-9151)

  - A cross-site scripting (XSS) vulnerability exists in the
    Captive Portal due to improper validation of input
    before returning it to users. An unauthenticated, remote
    attacker can exploit this, via a specially crafted
    request, to execute arbitrary script code in a user's
    browser session.");
  script_set_attribute(attribute:"see_also", value:"https://securityadvisories.paloaltonetworks.com/Home/Detail/66");
  script_set_attribute(attribute:"see_also", value:"https://securityadvisories.paloaltonetworks.com/Home/Detail/67");
  script_set_attribute(attribute:"see_also", value:"https://securityadvisories.paloaltonetworks.com/Home/Detail/68");
  script_set_attribute(attribute:"see_also", value:"https://securityadvisories.paloaltonetworks.com/Home/Detail/70");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Palo Alto Networks PAN-OS version 5.0.20 / 5.1.13 /
6.0.15 / 6.1.15 / 7.0.11 / 7.1.6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/02");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:paloaltonetworks:pan-os");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Palo Alto Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("palo_alto_version.nbin");
  script_require_keys("Host/Palo_Alto/Firewall/Version", "Host/Palo_Alto/Firewall/Full_Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

app_name = "Palo Alto Networks PAN-OS";
version = get_kb_item_or_exit("Host/Palo_Alto/Firewall/Version");
full_version = get_kb_item_or_exit("Host/Palo_Alto/Firewall/Full_Version");
fix = NULL;

# Ensure sufficient granularity.
if (version !~ "^\d+\.\d+\.\d+") audit(AUDIT_VER_NOT_GRANULAR, app_name, full_version);

switch[=~] (version)
{
  case "^5\.0\.([0-9]|1[0-9])($|[^0-9])":
    fix = "5.0.20";
    break;
  case "^5\.1\.([0-9]|1[0-2])($|[^0-9])":
    fix = "5.1.13";
    break;
  case "^6\.0\.([0-9]|1[0-4])($|[^0-9])":
    fix = "6.0.15";
    break;
  case "^6\.1\.([0-9]|1[0-4])($|[^0-9])":
    fix = "6.1.15";
    break;
  case "^7\.0\.([0-9]|10)($|[^0-9])":
    fix = "7.0.11";
    break;
  case "^7\.1\.[0-5]($|[^0-9])":
    fix = "7.1.6";
    break;
  default:
    audit(AUDIT_INST_VER_NOT_VULN, app_name, full_version);
}

report =
  '\n  Installed version : ' + full_version +
  '\n  Fixed version     : ' + fix +
  '\n';
security_report_v4(severity:SECURITY_HOLE, extra:report, port:0, xss:TRUE);

References