Reading the awesome WatchTowr writeup of CVE-2024-0012 and CVE-2024-9474, the Palo ...

Taggart :donor: /

npub18wj…q6gg

2024-11-19 16:13:30

Reading the awesome WatchTowr writeup of CVE-2024-0012 and CVE-2024-9474, the Palo Alto RCE/privesc one-two punch. Great work here as always. And h/t to nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpq57zmf2m5d8ak5l7538naytp8tavkx6uc58x8wqnchjfxj83dhkaq9gmr3e (nprofile…mr3e) , of course.

https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

A few things stand out:

First, sorry nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqfykvyqwqav5328tmuhtqp49urfrzvgzf99d3x56mta4p9yxj4l7s3ns6wl (nprofile…s6wl), no #directorytraversalmemes for you:

We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?! At this point, why is anyone surprised?

That’s right folks, a simple reproducer for CVE-2024-0012. It couldn't be easier than that.

That's the auth bypass. And then, WHAT IS THIS DOING IN ANYTHING

return $p->pexecute("/usr/local/bin/pan_elog -u audit -m $msg -o $username");

So obviously if that $username has shell metacharacters, you have yourself a nice command injection.

And guess what user the service runs as?

Author Public Key

npub18wjp9tztznztxlxka5ttn5nz448la7c9ckmvdvlptcupgud3ygdqj6q6gg

Seen on

wss://relay.mostr.pub wss://relay.nostr.band

Show more details

Published at

2024-11-19 16:13:30

Kind type

1 Short Text Note

Event JSON

{ "id": "4d5bd394783a96f51a03da966d09eab9dbc7fe351d889d4f6d8ca4a533b70b68", "pubkey": "3ba412ac4b14c4b37cd6ed16b9d262ad4ffefb05c5b6c6b3e15e381471b1221a", "created_at": 1732032810, "kind": 1, "tags": [ [ "p", "a785b4ab7469fb6a7fd489e7d22c275f59636b98a1cc770278bc92691e2dbdba", "wss://relay.mostr.pub" ], [ "p", "492cc201c0eb29151d7be5d600d4bc1a46262049295b13535b5f6a1290d2affd", "wss://relay.mostr.pub" ], [ "p", "c65691145402e71ffc943862badf66302e47b37f5285441c6ccc592cc114408d", "wss://relay.mostr.pub" ], [ "p", "14609e2d429cc6b47de05d41a9840716e4d2e0bec59e8bbf79ad79dd7c5def64", "wss://relay.mostr.pub" ], [ "t", "directorytraversalmemes" ], [ "proxy", "https://infosec.exchange/users/mttaggart/statuses/113510502265843551", "activitypub" ] ], "content": "Reading the awesome WatchTowr writeup of CVE-2024-0012 and CVE-2024-9474, the Palo Alto RCE/privesc one-two punch. Great work here as always. And h/t to nostr:nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpq57zmf2m5d8ak5l7538naytp8tavkx6uc58x8wqnchjfxj83dhkaq9gmr3e , of course.\n\nhttps://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/\n\nA few things stand out:\n\nFirst, sorry nostr:nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqfykvyqwqav5328tmuhtqp49urfrzvgzf99d3x56mta4p9yxj4l7s3ns6wl, no #directorytraversalmemes for you:\n\nWe simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?! At this point, why is anyone surprised?\n\nThat’s right folks, a simple reproducer for CVE-2024-0012. It couldn't be easier than that. \n\nThat's the auth bypass. And then, WHAT IS THIS DOING IN ANYTHING\n\nreturn $p-\u003epexecute(\"/usr/local/bin/pan_elog -u audit -m $msg -o $username\");\n\n\nSo obviously if that $username has shell metacharacters, you have yourself a nice command injection.\n\nAnd guess what user the service runs as?", "sig": "5223e44bfcbc7ad49cda71eeda3aa548b09236825fc8a18e948050c1e884e0aa4562cbdb8d0aca53a3cd536de477982104d3aa087dd0ce8c3d0379e14f5aabe4" }