Share
## https://sploitus.com/exploit?id=DF4C1F51-6815-5BB6-92DD-E4CC48FCB767
# Palo Alto PAN-OS CVE-2024-0012 Vulnerability Checker

This Python script checks for the presence of a critical authentication bypass vulnerability in Palo Alto Networks PAN-OS Management Web Interface, identified as **CVE-2024-0012**. The vulnerability enables an unauthenticated attacker to gain administrative privileges, tamper with configuration, or exploit other privilege escalation vulnerabilities.

## Features
- **Automated Vulnerability Check**: Sends HTTP GET requests to the target and evaluates conditions based on response status, headers, and content markers specific to Palo Alto PAN-OS.
- **Improved Marker-Based Validation**:
  - Uses contextual Palo Alto-specific markers like `Zero Touch Provisioning` and `window.Pan` for accurate detection.
  - Reduces false positives by validating content alongside headers and status codes.
- **Interactive or Command-Line Arguments**:
  - Specify a single target with `-t` or a file of targets with `-f`.
  - If no arguments are provided, the script switches to interactive mode, prompting the user for input.
- **Summary and Detailed Output**:
  - Summarizes results for all targets.
  - Optionally displays detailed results for vulnerable targets with the `-d` argument or via user prompt in interactive mode.
- **Optional Explanation**: Use `-e` or `--explanation` to print a detailed, user-friendly description of CVE-2024-0012 and CVE-2024-9474
- **Prettified Output**: Uses the `rich` library to display results in a clean, human-readable format.
- **Error Handling**: Gracefully handles network errors, invalid responses, and SSL verification issues.

## Requirements
- Python 3.7 or newer
- `requests` library for HTTP requests
- `rich` library for styled output

### Installation
1. Clone the repository or download the script.
2. Install required dependencies:
   ```bash
   pip install -r requirements.txt
   ```

## Usage
### Basic Usage
To check a single target interactively:
```bash
python main.py
```

### Command-Line Arguments
#### Single Target
Specify a single FQDN or IP:
```bash
python main.py -t 127.0.0.1
```

#### Multiple Targets from a File
Provide a file containing a list of targets (one per line):
```bash
python main.py -f targets.txt
```

#### Print Detailed Results
Use the `-d` or `--details` flag to automatically print detailed results for all vulnerable targets:
```bash
python main.py -t 127.0.0.1 -d
```

#### Print Explanation
Use the `-e` or `--explanation` flag to print a detailed explanation of CVE-2024-0012 and CVE-2024-9474 vulnerabilities:
```bash
python main.py -t 127.0.0.1 -d -e (or -de)
```

### Output
#### Vulnerable Target
```plaintext
[!] Target -appears- vulnerable!

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Key                         ┃ Value                                                    ┃
┑━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
┃ URL                         ┃ https://127.0.0.1/php/ztp_gate.php/.js.map               ┃
┃ Status Code                 ┃ 200                                                      ┃
┃ Headers                     ┃ {"Date": "Wed, 20 Nov 2024 15:29:31 GMT", ...            ┃
┃ Markers Found               ┃ ...<title>Zero Touch Provisioning</title>...             ┃
┃                             ┃ ...window.Pan = window.Pan || {};...                     ┃
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

#### Non-Vulnerable Target
```plaintext
[+] Target does not appear to be vulnerable.
Message: No matching conditions met.
```

#### Summary Table
At the end of the scan, a summary table lists all targets and their statuses:
```plaintext
┏━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┓
┃ Target                ┃ Status          ┃
┑━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━┩
┃ 127.0.0.1             ┃ Vulnerable      ┃
┃ example.com           ┃ Not Vulnerable  ┃
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

#### Explanation
If the `-e` or `--explanation` flag is used:
```plaintext
CVE-2024-0012 Explained

CVE-2024-0012 is an authentication bypass vulnerability. This means attackers can skip the login process and access sensitive parts of a system without needing a username or password. In Palo Alto Networks’ PAN-OS, this vulnerability allows attackers to trick the system by sending specially crafted HTTP GET requests. These requests include a header called `X-PAN-AUTHCHECK`, which tells the system whether or not authentication is required. If this header is set to `off`, the system mistakenly grants access to restricted areas without checking if the person is logged in.

This vulnerability can be exploited together with CVE-2024-9474, a privilege escalation vulnerability, to gain full root access to the device. Once attackers achieve root access, they can control the firewall, steal sensitive data, or disable security features.

If this vulnerability is confirmed, patch the affected system as soon as possible to prevent exploitation. Additionally, restrict access to the management interface by IP whitelisting or using a dedicated management network.
```

#### Errors
```plaintext
[bold red]Error:[/bold red] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with URL: /php/ztp_gate.php/.js.map (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x...>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed'))
```

## Notes
- **Interactive Prompt**: If no `--target` or `--file` argument is provided, the script prompts for interactive input.
- **SSL Warnings**: The script disables SSL warnings for self-signed certificates. Use cautiously in secure environments.
- **Improved Validation**: The script focuses on Palo Alto-specific markers to reduce false positives and ensure accurate results.
- **Optional Explanation**: The `-e` flag provides an educational overview of the vulnerabilities for users who need more context.
- **Limitations**: This tool is designed for educational and authorized security assessments only. Unauthorized use against systems you do not own or manage may violate laws or policies.

## License
This script is released under the MIT License. See `LICENSE` file for details.

## Disclaimer
This script is provided "as-is" without warranty of any kind. Use at your own risk. The author is not responsible for any damage caused by the use of this tool.

## Acknowledgments
This script was inspired by the brilliant work of the watchTowr team, whose original Nuclei YAML template for CVE-2024-0012 served as the foundation for this Python implementation. Their dedication to identifying and addressing critical security vulnerabilities continues to set a high standard in the cybersecurity community.