Root Privileges for Dummies: Just Exploit CVE-2024-3400

CVE-2024-3400 (+ url + github ‎url#1, url#2) is‏ ‎a ‎critical ‎command ‎injection ‎vulnerability‏ ‎in ‎Palo‏ ‎Alto‏ ‎Networks' ‎PAN-OS ‎software,‏ ‎specifically ‎affecting‏ ‎the ‎GlobalProtect ‎feature. ‎This‏ ‎vulnerability‏ ‎allows ‎an‏ ‎unauthenticated, ‎remote‏ ‎attacker ‎to ‎execute ‎arbitrary ‎code‏ ‎with‏ ‎root ‎privileges‏ ‎on ‎the‏ ‎affected ‎firewall. ‎The ‎vulnerability ‎impacts‏ ‎PAN-OS‏ ‎versions‏ ‎10.2, ‎11.0,‏ ‎and ‎11.1‏ ‎when ‎configured‏ ‎with‏ ‎GlobalProtect ‎gateway‏ ‎or ‎GlobalProtect ‎portal.

Initial ‎Discovery ‎and‏ ‎Exploitation:

📌The ‎vulnerability‏ ‎was‏ ‎first ‎identified ‎by‏ ‎Volexity, ‎who‏ ‎observed ‎zero-day ‎exploitation ‎attempts‏ ‎on‏ ‎March ‎26,‏ ‎2024.

📌Attackers, ‎identified‏ ‎as ‎the ‎state-backed ‎group ‎UTA0218,‏ ‎exploited‏ ‎the ‎vulnerability‏ ‎to ‎gain‏ ‎unauthorized ‎access ‎to ‎firewall ‎devices.

Attack‏ ‎Vector:

📌The‏ ‎vulnerability‏ ‎is ‎exploited‏ ‎via ‎a‏ ‎command ‎injection‏ ‎flaw‏ ‎in ‎the‏ ‎GlobalProtect ‎feature. ‎Attackers ‎can ‎manipulate‏ ‎the ‎SESSID‏ ‎cookie‏ ‎to ‎create ‎arbitrary‏ ‎files ‎on‏ ‎the ‎system, ‎which ‎can‏ ‎then‏ ‎be ‎used‏ ‎to ‎execute‏ ‎commands ‎with ‎root ‎privileges.

📌The ‎attack‏ ‎does‏ ‎not ‎require‏ ‎authentication, ‎making‏ ‎it ‎highly ‎dangerous ‎and ‎easily‏ ‎exploitable.

Exploitation‏ ‎Flow:

Step‏ ‎1: ‎Reconnaissance:

📌Attackers‏ ‎scan ‎for‏ ‎vulnerable ‎PAN-OS‏ ‎devices‏ ‎configured ‎with‏ ‎GlobalProtect ‎gateway ‎or ‎portal.

📌They ‎use‏ ‎simple ‎commands‏ ‎to‏ ‎place ‎zero-byte ‎files‏ ‎on ‎the‏ ‎system ‎to ‎validate ‎the‏ ‎vulnerability.

Step‏ ‎2: ‎Initial‏ ‎Exploitation:

📌Attackers ‎send‏ ‎specially ‎crafted ‎network ‎requests ‎to‏ ‎the‏ ‎vulnerable ‎device,‏ ‎manipulating ‎the‏ ‎SESSID ‎cookie ‎to ‎create ‎a‏ ‎file‏ ‎in‏ ‎a ‎specific‏ ‎directory.

📌Example: ‎Cookie:‏ ‎SESSID=/./././var/appweb/sslvpndocs/global-protect/portal/images/poc.txt.

Step ‎3:‏ ‎Command‏ ‎Execution:

📌The ‎created‏ ‎file ‎is ‎used ‎to ‎inject‏ ‎and ‎execute‏ ‎arbitrary‏ ‎commands ‎with ‎root‏ ‎privileges.

📌Attackers ‎establish‏ ‎a ‎reverse ‎shell ‎and‏ ‎install‏ ‎additional ‎tools,‏ ‎such ‎as‏ ‎a ‎custom ‎Python ‎backdoor ‎named‏ ‎UPSTYLE,‏ ‎to ‎maintain‏ ‎persistent ‎access.

Step‏ ‎4: ‎Post-Exploitation:

📌Attackers ‎exfiltrate ‎sensitive ‎data,‏ ‎including‏ ‎the‏ ‎firewall’s ‎running‏ ‎configuration ‎and‏ ‎credentials.

📌They ‎may‏ ‎also‏ ‎use ‎the‏ ‎compromised ‎device ‎to ‎move ‎laterally‏ ‎within ‎the‏ ‎network,‏ ‎targeting ‎other ‎systems.

Observed‏ ‎Malicious ‎Activity:

📌An‏ ‎uptick ‎in ‎malicious ‎activity‏ ‎was‏ ‎observed ‎soon‏ ‎after ‎the‏ ‎public ‎disclosure ‎of ‎the ‎vulnerability‏ ‎and‏ ‎the ‎release‏ ‎of ‎an‏ ‎exploit ‎script ‎on ‎GitHub.

📌Attackers ‎used‏ ‎the‏ ‎UPSTYLE‏ ‎backdoor ‎to‏ ‎interact ‎with‏ ‎the ‎compromised‏ ‎device‏ ‎indirectly, ‎sending‏ ‎commands ‎via ‎error ‎logs ‎and‏ ‎receiving ‎output‏ ‎through‏ ‎a ‎publicly ‎accessible‏ ‎stylesheet.