An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent. The exploit does the following steps: Sends a request containing a header parameter for authentication bypass(CVE-2024-0012) to inject a command within a "user" request body parameter(CVE-2024-9474) and receive an elevated PHP user session ID(PHPSESSID) in the response, whereby the injected command is written to a local session cache file. Sends a request with the elevated PHPSESSID to trigger evaluation of the injected local session cache file. Repeats the process with all the necessary commands to deploy an agent.
An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent. The exploit does the following steps: Sends a request containing a header parameter for authentication bypass(CVE-2024-0012) to inject a command within a "user" request body parameter(CVE-2024-9474) and receive an elevated PHP user session ID(PHPSESSID) in the response, whereby the injected command is written to a local session cache file. Sends a request with the elevated PHPSESSID to trigger evaluation of the injected local session cache file. Repeats the process with all the necessary commands to deploy an agent.
This module exploits CVE-2024-5910 to reset the password of the admin. For doing this, it will craft a special request to the endpoint /OS/startup/restore/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and it will exploit CVE-2024-9464 in order to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint /bin/CronJobs.php. As an authenticated user we can abuse this endpoint for inserting commands in the table cronjobs from pandb. After inserting the command into this table, the target will execute it.
This module exploits CVE-2024-5910 to reset the password of the admin. For doing this, it will craft a special request to the endpoint /OS/startup/restore/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and it will exploit CVE-2024-9464 in order to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint /bin/CronJobs.php. As an authenticated user we can abuse this endpoint for inserting commands in the table cronjobs from pandb. After inserting the command into this table, the target will execute it.
In PHP, when using Apache and PHP-CGI on Windows and if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow remote attackers to pass options to PHP binary being run, leading to execute system commands in the context of the affected application. This module will exploit the vulnerability by using the "cgi.force_redirect=0" parameter and attacking the "/php-cgi/php-cgi.exe" endpoint; which are required to exploit XAMPP on Windows. If the target is vulnerable but is not XAMPP, then the ENDPOINT parameter must point to a proper php script.
In PHP, when using Apache and PHP-CGI on Windows and if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow remote attackers to pass options to PHP binary being run, leading to execute system commands in the context of the affected application. This module will exploit the vulnerability by using the "cgi.force_redirect=0" parameter and attacking the "/php-cgi/php-cgi.exe" endpoint; which are required to exploit XAMPP on Windows. If the target is vulnerable but is not XAMPP, then the TARGET parameter must point to a proper php script.
This vulnerability allows an attacker to bypass the string comparison of the request path and access the setup wizard ("/SetupWizard.aspx") even on already-configured ScreenConnect instances. By exploiting this vulnerability and gaining access to the setup wizard, an attacker can create an administrative user and upload a malicious ScreenConnect extension to achieve remote code execution (RCE) on the ScreenConnect server. The vulnerable version of the ScreenConnect program is version 23.9.7 and earlier.
This vulnerability allows an attacker to bypass the string comparison of the request path and access the setup wizard ("/SetupWizard.aspx") even on already-configured ScreenConnect instances. By exploiting this vulnerability and gaining access to the setup wizard, an attacker can create an administrative user and upload a malicious ScreenConnect extension to achieve remote code execution (RCE) on the ScreenConnect server. The vulnerable version of the ScreenConnect program is version 23.9.7 and earlier.
Subscribe to OS Command Injection