Palo Alto Networks Expedition (Migration Tool) Unauthenticated Command Injection Vulnerability

A remote command injection vulnerability has been identified in Palo Alto Expedition (Migration Tool) . Expedition tool is used for moving firewall configurations from another vendor to Palo Alto’s product. It makes the conversion process easier to accomplish. MITRE has assigned CVE-2018-10143 for this vulnerability.

Vulnerability Analysis:

This vulnerability exists in convertCSVtoParquet.php which accepts user controlled input in a path parameter. A payload similar to the one shown below can be used to exploit this command injection vulnerability:

1:2:/tmp/log && COMMAND_INJECTION

Let’s replace COMMAND_INJECTION with a command of our choosing.

POST Request to /API/ convertCSVtoParquet.php

Next step is to run netcat in listen mode on a random port and wait for the output of the injected command in POST request.

/etc/passwd contents listed on netcat listener

Conclusion: 

Vendor has not confirmed the vulnerability. However customers can upgrade to the latest supported version of Expedition (Migration Tool).Customers are advised to scan their network remotely using QID#13385 to find vulnerable Expedition (Migration Tool) versions.

Leave a Reply

Your email address will not be published. Required fields are marked *