CVE-2024-3400 PoC — PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

Source

https://github.com/Rohith-Reddy-Y/Zero-Day-Vulnerability-Exploitation-Detection-Tool

Associated Vulnerability

Title:PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect (CVE-2024-3400)
Description:A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Description

An AI-powered tool to predict and prevent zero-day attacks on firewalls, like Palo Alto’s CVE-2024-3400. Uses Python, Wireshark, MITRE ATT&CK datasets, and Docker for real-time anomaly detection.

Readme

# Zero-Day-Vulnerability-Exploitation-Detection-Tool
An AI-powered tool to predict and prevent zero-day attacks on firewalls, like Palo Alto’s CVE-2024-3400. Uses Python, Wireshark, MITRE ATT&amp;CK datasets, and Docker for real-time anomaly detection.


# Zero-Day Vulnerability Exploitation Detection Tool

## 📑 Table of Contents
- [**Project Description**](#project-description)
- [**Objectives**](#objectives)
- [**Why This Project**](#why-this-project)
- [**Technologies and Tools**](#technologies-and-tools)
- [**Project Structure**](#project-structure)
- [**Timeline**](#timeline)
- [**Setup Instructions**](#setup-instructions)
- [**Running the Project**](#running-the-project)
- [**Testing the Tool**](#testing-the-tool)
- [**How to Contribute**](#how-to-contribute)
- [**License**](#license)
- [**Contact**](#contact)
- [**References**](#references)

---

## 🔍 **Project Description**
This repository hosts an **AI-powered tool** designed to predict and prevent **zero-day attacks** targeting firewalls, such as Palo Alto’s CVE-2024-3400. Zero-day vulnerabilities are exploited before patches are available, posing severe risks to network security.

The tool leverages **machine learning** to analyze network traffic, detect anomalous patterns, and block potential breaches in real-time. Built with **Python**, **Wireshark**, **MITRE ATT&CK datasets**, and **Docker**, it offers a robust solution for proactive cybersecurity. The project includes data collection, model training, tool integration, and testing in a sandbox environment—ideal for enthusiasts in **networking**, **AI**, and **cybersecurity**.

---

## 🎯 **Objectives**
- Research zero-day vulnerabilities in firewalls.  
- Collect and label network traffic data for training an AI model.  
- Develop a machine learning model to detect potential zero-day attacks.  
- Integrate the model into a functional tool for real-time monitoring.  
- Test the tool in a safe environment using simulated attacks.  
- Document the process and present findings.  

---

## ❓ **Why This Project**
Zero-day vulnerabilities are a critical cybersecurity threat, as traditional defenses often fail against unknown exploits. This project leverages machine learning to proactively detect attack patterns, enhancing firewall security. It builds on interests in **networking** and **CTF challenges**, offering a **practical learning experience** in AI and cybersecurity.

---

## 🛠️ **Technologies and Tools**

| **Tool/Library** | **Purpose** |
|------------------|-------------|
| **Python** | AI/ML model development using libraries like `scikit-learn`, `TensorFlow`, or `PyTorch`. |
| **Wireshark** | Captures and analyzes network traffic for training data. |
| **MITRE ATT&CK Dataset** | Simulates zero-day attack patterns. |
| **Docker** | Creates a sandbox for safe testing. |
| **Python Libraries** | Listed in `requirements.txt`:<br>• `scikit-learn`: For traditional ML algorithms.<br>• `tensorflow` or `pytorch`: For deep learning models.<br>• `pandas`, `numpy`: For data processing.<br>• `matplotlib`: For visualizing results. |

---

## 🗂️ **Project Structure**
The repository is organized as follows:
![image](https://github.com/user-attachments/assets/2058bede-22c5-4347-82e5-df65ee7f9be6)


---

## 🗓️ **Timeline**

| **Weeks** | **Phase**                 | **Tasks**                                      |
|-----------|---------------------------|------------------------------------------------|
| 1-2       | Research & Planning        | Study vulnerabilities, set up tools.           |
| 3-4       | Data Collection & Labeling | Capture traffic, label data.                   |
| 5-6       | Feature Engineering & ML   | Extract features, develop model.               |
| 7-8       | Model Training & Evaluation| Train and evaluate model.                      |
| 9-10      | Tool Integration           | Build and integrate tool.                      |
| 11-12     | Testing & Validation       | Test in Docker environments.                   |
| 13-14     | Documentation & Presentation| Finalize report, prepare demo.                |

---

## ⚙️ **Setup Instructions**

1. **Install Python:**
   - Download Python 3.6+ from [python.org](https://www.python.org/)
   - Verify:  
     ```bash
     python --version
     ```

2. **Install Wireshark:**
   - Download from [wireshark.org](https://www.wireshark.org/)
   - Follow OS-specific installation instructions.

3. **Install Docker:**
   - Download from [docker.com](https://www.docker.com/)
   - Verify:  
     ```bash
     docker --version
     ```

4. **Clone the Repository:**
   ```bash
   git clone https://github.com/yourusername/Zero-Day-Vulnerability-Exploitation-Detection-Tool.git
   cd Zero-Day-Vulnerability-Exploitation-Detection-Tool
   
5. **Install Python Dependencies:**
```bash
pip install -r requirements.txt
```

6. **Set Up Data**

Download MITRE ATT&CK Dataset from MITRE ATT&CK and place it in the data/ directory.
Capture network traffic using Wireshark and save it as data/capture.pcap.

## ▶️ Running the Project

### 🛡️ Data Collection

Capture traffic with Wireshark or tshark:

```bash
tshark -i eth0 -w data/capture.pcap
```

Label traffic as benign or malicious (manual or scripted).

---

### 🧹 Data Processing

```bash
python src/data_processing.py
```

---

### 🧠 Model Training

```bash
python src/model.py
```

Saves model to `models/model.pkl`.

---

### 🚦 Run the Tool

Start real-time monitoring:

```bash
python src/tool.py
```

Analyzes live traffic using the trained model.

---

## 🧪 Testing the Tool

1. Test in a Docker sandbox:

```bash
docker build -t zero-day-detector .
```
2. Run the container:
```
docker run -it zero-day-detector
```

Simulate attacks (e.g., using **Metasploit**) and verify detection.

---

## 🤝 How to Contribute

- Fork the repository.
- Create a branch:

```bash
git checkout -b feature/new-feature
```

- Commit changes:

```bash
git commit -m "Add new feature"
```

- Push the branch:

```bash
git push origin feature/new-feature
```

- Submit a pull request.

> Follow coding standards and include tests.

---

## 📄 License

This project is licensed under the **MIT License** – see `LICENSE`.

---

## 📬 Contact

Contact **Rohtih** at **rohithreddyrry2004@gmail.com** for questions or feedback.

---

## 📚 References

- [Wireshark Documentation](https://www.wireshark.org/docs/)
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [Python Official Site](https://www.python.org/)
- [Docker Documentation](https://docs.docker.com/)
- [scikit-learn Tutorials](https://scikit-learn.org/stable/tutorial/index.html)
- [TensorFlow Tutorials](https://www.tensorflow.org/tutorials)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!