A really cool CVE for attacking palo alto networks PAN-OS was published near the end of last year CVE-2017-15944. Just last weak Philip Pettersson created a Metasploit Module to take full advantage of this bug and achieve remote code execution!



I recently had the pleasure of leveraging this attack vector on a pentest so I thought I would honor the occasion with a blog post!

Understanding The Bug

Philip has already provided an excellent write up on ExploitDB documenting this bug for attacking palo alto networks PAN-OS so I won’t recreate his efforts. Read his advisory for a well written and very thorough explanation.

TLDR: An authentication bypass allows us to access php scripts which can be leveraged to create directories and/or modify entries in a reoccurring cron job to execute code and give us a remote shell, awesome!

Detecting Vulnerable Hosts

The advisory from Palo Alto Networks (PAN-SA-2017-0027) tells us that all versions are vulnerable prior to:

6.1.19

7.0.19

7.1.14

8.0.6

We can easily determine if our target is vulnerable with a simple GET request.

https://target/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";

If you see the following message in the response body, the target is vulnerable and you have created an authentication cookie.

@start@Success@end@

As Philip mentions this is not a full authentication bypass but does allow access to certain critical PHP libraries which would otherwise be restricted. As a proof of concept you can navigate to

/php/utils/debug.php

and see that the once restricted page is now fully accessible.

Compromising The Vulnerable System

Once you have verified that your target is vulnerable, exploiting this system and gaining a remote shell is trivial thanks to Philip. First update your copy of metasploit as this is a fresh exploit created just this past week! Now load up the exploit module and enter in the targets IP address and port.



I had mixed results with different payloads but found the ‘cmd/unix/reverse_bash’ payload to be pretty reliable. Specify your attacking IP and port to listen on and fire when ready!

This was a fun attack vector for me. I always enjoy when I get to use something other than the same old tried and true exploits to compromise an internal network. Thanks for reading and hack responsibly!

Share this article