Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-2034 PoC — PAN-OS: OS command injection vulnerability in GlobalProtect portal

Source
https://github.com/blackhatethicalhacking/CVE-2020-2034-POC
Associated Vulnerability
Title:PAN-OS: OS command injection vulnerability in GlobalProtect portal (CVE-2020-2034)
Description:An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled. This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1. Prisma Access services are not impacted by this vulnerability.
Description
Determine the Version Running on the Palo Alto Network Firewall for the Global Protect Portal
Readme
# CVE-2020-2034-POC
Determine the Version Running on the Palo Alto Network Firewall for the Global Protect Portal

Recently a lot of critical vulnerabilities were announced by Palo Alto Networks here:
https://security.paloaltonetworks.com/?severity=CRITICAL&product=PAN-OS&sort=-date

This is a PoC to determine the version used by the firewall, by examining the etag from a curl scan on their favicon, and login.esp

Reference:

CWE-78 Impact:
https://cwe.mitre.org/data/definitions/78

By the Register:
https://www.theregister.com/2020/07/09/palo_alto_fix/

 By Vulmon
https://vulmon.com/searchpage?q=paloaltonetworks

![alt text](https://avatars1.githubusercontent.com/u/39441336?s=280&v=4)

Instructions:

Make sure to have latest Python3




Demo:

curl -skI https://example.com/global-protect/login.esp

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
ETag: "5e4c6-2f3g-5b650798"

In order to determine this, we have to do some examination of the etag of some of the URLs, by doing so, we will gather the last 8 characters from the Etag, and it will be in hexadecimal, so converting it to decimal, then from epoch time, to human readable time, we will be able to decipher the version it is used, and check if it is vulnerable or not to this OS Command Injection recently released by Palo Alto Networks.

So from the demo example, we are interested in the last 8:

5b650798

Convert this from hexadecimal to decimal, then from decimal epoch time to human readable.

You will get this:
Sat Aug  4 04:55:36 EEST 2018

Then Check if its vulnerable based on the versions announced.

This will attempt to do this once you run it.


Legal disclaimer
Usage of this tool for testing targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
File Snapshot

 [4.0K]  /data/pocs/695be35d2e8b86edf34e71b0c331f8ba9857791a
├── [1.1K]  LICENSE.md
├── [7.6K]  panos-scanner.py
├── [1.9K]  README.md
└── [3.7K]  version-table.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →