Create CVE-2024-3400.yaml #9594
Conversation
|
I don't really know how to classify this, based on my real world experience this should show who is not patched to CVE-2024-3400 when there are mitigating factors to the interact-sh routine. "In the wild" i have seen sites that take 5 mins or longer to call back after the payload is made, which passed the other script and may lead to false negatives. |
|
@ehsandeep it looks good, I did some spot checks and seems to work well. |
ehsandeep
changed the title
You are right, there will be a delay of almost five minutes, causing the original script to not be able to detect it correctly. |
|
Looks great, thanks for your contribution @S4lt5 - we appreciate it! |
|
This newer poc is possibly not CVE-2024-3400, but a currently unassigned vuln in either golang's gorilla/sessions package/PA's own code elsewhere: |
You're right, but it can indeed be used to detect CVE-2024-3400 |
This is true, it's not exactly the RCE, but is more of a "You are not patched for 2024-3400" which is why I was not sure how to classify this. |
|
Confirmed this as working |
|
Thanks, got response after modification. |
Template / PR Information
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
Template Validation
I've validated this template locally?
Additional Details (leave it blank if not applicable)
Having run this on a lot of real world devices, I got a lot of negatives/passes on globalprotects based on:
The amount of hits I got via the file write, versus the existing template were greater than 10:1.
If you are looking for unpatched globalprotects, this should do the trick and be more reliable. Some of the positive hits you will get from this may be fully vulnerable to RCE as well, but it just takes some time, etc.
I'm not sure how to name this template, but I have validated it across a fairly wide set of devices.
Additional References: