Root Privileges for Dummies: Just Exploit CVE-2024-3400
CVE-2024-3400 (+ url + github url#1, url#2) is a critical command injection vulnerability in Palo Alto Networks' PAN-OS software, specifically affecting the GlobalProtect feature. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on the affected firewall. The vulnerability impacts PAN-OS versions 10.2, 11.0, and 11.1 when configured with GlobalProtect gateway or GlobalProtect portal.
Initial Discovery and Exploitation:
📌The vulnerability was first identified by Volexity, who observed zero-day exploitation attempts on March 26, 2024.
📌Attackers, identified as the state-backed group UTA0218, exploited the vulnerability to gain unauthorized access to firewall devices.
Attack Vector:
📌The vulnerability is exploited via a command injection flaw in the GlobalProtect feature. Attackers can manipulate the SESSID cookie to create arbitrary files on the system, which can then be used to execute commands with root privileges.
📌The attack does not require authentication, making it highly dangerous and easily exploitable.
Exploitation Flow:
Step 1: Reconnaissance:
📌Attackers scan for vulnerable PAN-OS devices configured with GlobalProtect gateway or portal.
📌They use simple commands to place zero-byte files on the system to validate the vulnerability.
Step 2: Initial Exploitation:
📌Attackers send specially crafted network requests to the vulnerable device, manipulating the SESSID cookie to create a file in a specific directory.
📌Example: Cookie: SESSID=/./././var/appweb/sslvpndocs/global-protect/portal/images/poc.txt.
Step 3: Command Execution:
📌The created file is used to inject and execute arbitrary commands with root privileges.
📌Attackers establish a reverse shell and install additional tools, such as a custom Python backdoor named UPSTYLE, to maintain persistent access.
Step 4: Post-Exploitation:
📌Attackers exfiltrate sensitive data, including the firewall’s running configuration and credentials.
📌They may also use the compromised device to move laterally within the network, targeting other systems.
Observed Malicious Activity:
📌An uptick in malicious activity was observed soon after the public disclosure of the vulnerability and the release of an exploit script on GitHub.
📌Attackers used the UPSTYLE backdoor to interact with the compromised device indirectly, sending commands via error logs and receiving output through a publicly accessible stylesheet.