A remote code execution vulnerability has been discovered in the PAN-OS. The vulnerability has been assigned CVE-2017-15944. By exploiting this vulnerability an attacker can achieve arbitrary code execution in root context. The target is the web based management interface provided by the device for configuration and maintenance. The vulnerable versions are PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6. Palo Alto has addressed this vulnerability in PAN-SA-2017-0027
Code execution is achieved by chaining 3 separate bugs in the OS. Each bug affecting different aspects of the management interface.
Partial Authentication Bypass:
The config file for web management interface
/etc/appweb3/conf/common.conf enforces an authentication filter for almost all sub-directories. The requests are authenticated based on the session cookie. The PHP session is described as serialized data whose format is
var_name|s:string length:"string value"; var_name|s:string length:"string value";..... Where
var_name can be set to various properties like
locale, user, dloc etc. We are interested in
openAuthFilter is used to authenticate the cookie .
readSessionVarsFromFile to extract the values for variables
readSessionVarsFromFile uses a custom parser instead of PHP functions designed to read serialized data. This parser is not implemented properly and can be corrupted. We can target this bug via custom GET request to /esp/cms_changeDeviceContext.esp.
An attacker can introduce a value into the session file which contains
“;. An XML request is generated using this value and forwarded to the back-end. The extra
; causes the parser to fail but
panCheckSessionExpired() still assumes that authentication has succeeded.
Arbitrary Directory Creation
/php/utils/router.php handles API requests, It exposes the PHP classes over HTTP POST/JSON and calls
get method defined in
/php/device/Administrator.php to handle the incoming JSON requests. get fails to sanitize
jsonArgs->id parameter and appends it to an XML request which is sent to and parsed by
pan_cfg_req_ctxt_construct(). a regular request looks like:
<request cmd="get" obj="/config/mgt-config/users/entry[@name='admin']" cookie="12312312312"/>
After parsing the request it will create a temporary file in the parent directory /opt/pancfg/session/pan/user_tmp/<cookie value>/<jobid>.xml based on the
obj parameter of the request. We can inject our own value in to
<cookie value> is user controlled. By setting the appropriate cookie value we can launch a directory traversal attack to create a directory anywhere.
The cron script /usr/local/bin/genindex_batch.sh executes every 15 minutes, it executes /usr/local/bin/genindex.sh to index the database files in /opt/pancfg/mgmt/logdb/. There is command-line injection vulnerability in the way it processes the file names. With the right file name we can get it to execute arbitrary system commands.
Summing it up
We can use the directory traversal attack to create a directory under /opt/pancfg/mgmt/logdb/ . The name of the directory is set in a way such that, When /usr/local/bin/genindex.sh reads the file name it will execute the command under root context.
Please apply the latest patches as directed by PAN-SA-2017-0027. The vulnerability has been fixed in versions PAN-OS 6.1.19, PAN-OS 7.0.19, PAN-OS 7.1.14 and PAN-OS 8.0.6. Scan your network using QID 38698 to detect vulnerable targets. The QID looks for the vulnerable version of PAN-OS via XML API.
Please continue to follow Qualys Threat Protection for information on various vulnerabilities.