www.horizon3.ai Open in urlscan Pro
104.197.16.226  Public Scan

URL: https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
Submission: On October 16 via api from IN — Scanned from DE

Form analysis 2 forms found in the DOM

GET https://www.horizon3.ai/

<form role="search" method="get" class="et_pb_menu__search-form" action="https://www.horizon3.ai/">
  <input type="search" class="et_pb_menu__search-input" placeholder="Search …" name="s" title="Search for:">
</form>

GET https://www.horizon3.ai/

<form role="search" method="get" class="et_pb_menu__search-form" action="https://www.horizon3.ai/">
  <input type="search" class="et_pb_menu__search-input" placeholder="Search …" name="s" title="Search for:">
</form>

Text Content

 * Solutions
   3 2
   
   
   SECURITY STRATEGIES
   
    * Effective Security
    * Splunk Logging
    * Purple Team Culture
    * Vulnerable ≠ Exploitable
   
   
   
   WHO USES NODEZERO?
   
    * ITOps and SecOps
    * Security Teams
    * Pentesters
   
   THE NODEZERO™ PLATFORM
   
    * Internal Pentesting
    * External Pentesting
    * Cloud Pentesting
    * Rapid Response
    * AD Password Audit
    * Phishing Impact Testing
    * NodeZero Tripwires
    * Documentation
   
   
   
   NODEZERO FOR COMPLIANCE
   
    * PCI Compliance
   
   Schedule a Demo
   Start a Free Trial
   
   
   
   USE CASES
   
    * Education
    * Healthcare
    * Manufacturing
    * Supply Chain
    * Public Sector
    * Large Organizations
    * MSSPs and MSPs
 * Partners
   3 2
   
   
   NODEZERO FOR MSSPS AND MSPS
   
   Let Us Be Your Force Multiplier
   
   
   
   
   NODEZERO FOR PARTNERS
   
   Disruptive Technology That Will Help Drive Revenue
   
   
   
   PARTNER PORTAL
   
   Become a Partner
 * Resources
   3 2
   
   
   INDUSTRY INSIGHTS
   
   
   
   
   ATTACK RESEARCH
   
   
   
   
   RESOURCE CENTER
   
    * Blogs
    * Glossary
    * 2023 Year in Review
   
   
   
   CUSTOMER STORIES
   
   
   CENTURY-LONG INNOVATION: A LEGACY OF OUTPACING CYBER THREATS
   
   Sep 19, 2024
   
   Discover how Komori, a century-old printing giant, is leading the charge in
   cybersecurity innovation by adapting to internet-connected risks and
   utilizing advanced solutions like NodeZero to safeguard their legacy.
   
   
   FUTURE-PROOFING CITIES: LYT’S STORY
   
   Jul 19, 2024
   
   As cities expand with smart technologies to enhance infrastructure, robust
   cybersecurity is crucial. Discover how continuous assessments with NodeZero
   keep urban operations safe and efficient.
   
   
   
   INDUSTRY INSIGHTS
   
   
   8 STEPS FOR ENHANCING CYBERSECURITY POST-BREACH
   
   Oct 1, 2024
   
   A 8-step guide to strengthening cybersecurity post-breach with autonomous
   pentesting and continuous risk assessment using NodeZero.
   
   
   DETECTION DONE DIFFERENTLY: BEST PRACTICES FOR AUTOMATING & IMPROVING THREAT
   DETECTION IN YOUR ORG
   
   Sep 25, 2024
   
   As cyber attacks become increasingly complex, sophisticated, and more
   frequent, security teams need to be able to identify attacks faster and with
   higher accuracy. But users report that current detection workflows have high
   set-up and maintenance needs and introduce lots of noise and time-consuming
   false-positives. In this session, we highlight new approaches to overcome
   those drawbacks:
   
   – Why rapid threat detection is increasingly critical for every security team
   in today’s threat landscape.
   – A new approach to threat detection that doesn’t increase your team’s
   workload.
   – A preview of how NodeZero Tripwires helps you detect threats faster and
   accurately.
   
   
   MASTERING CLOUD SECURITY: UNCOVERING HIDDEN VULNERABILITIES WITH NODEZERO™
   
   Aug 21, 2024
   
   Master cloud security with NodeZero™ Cloud Pentesting. Easily uncover
   vulnerabilities across AWS and Azure, prioritize identity risks, and secure
   your environment in just minutes. Stay ahead of threats.
   
   
   
   ATTACK CONTENT
   
    * Credential Attacks
    * Log4Shell
    * Ransomware
   
   ATTACK PATHS
   
   Routes and methods NodeZero used to gain unauthorized access to networks
   
   
   ON-PREM MISCONFIGURATIONS LEAD TO ENTRA TENANT COMPROMISE 
   
   As enterprises continue to transition on-premises infrastructure and
   information systems to the cloud, hybrid cloud systems have emerged as a
   vital solution, balancing the benefits of both environments to optimize
   performance, scalability, and ease of change on users...
   
   ATTACK BLOGS
   
   
   CVE-2024-28987: SOLARWINDS WEB HELP DESK HARDCODED CREDENTIAL VULNERABILITY
   DEEP-DIVE
   
   Sep 25, 2024
   
   On August 13, 2024, SolarWinds released a security advisory for Web Help Desk
   (WHD) that detailed a deserialization remote code execution vulnerability.
   This vulnerability, CVE-2024-28986, was added to CISA's Known Exploited
   Vulnerability (KEV) catalog two days later...
   
   
   CVE-2024-8190: INVESTIGATING CISA KEV IVANTI CLOUD SERVICE APPLIANCE COMMAND
   INJECTION VULNERABILITY
   
   Sep 16, 2024
   
   On September 10, 2024, Ivanti released a security advisory for a command
   injection vulnerability for it's Cloud Service Appliance (CSA) product.
   Initially, this CVE-2024-8190 seemed uninteresting to us given that Ivanti
   stated that it was an authenticated...
   
   
   
   DISCLOSURES
   
   
   CVE-2024-28987: SOLARWINDS WEB HELP DESK HARDCODED CREDENTIAL VULNERABILITY
   DEEP-DIVE
   
   On August 13, 2024, SolarWinds released a security advisory for Web Help Desk
   (WHD) that detailed a deserialization remote code execution vulnerability.
   This vulnerability, CVE-2024-28986, was added to CISA's Known Exploited
   Vulnerability (KEV) catalog two days later...
 * Company
   3 2
   About
   Events
   
   
   OUR VISION
   
   The future of cyber warfare will run at machine speed
   
   
   
   MEET THE TEAM
   
   Team of Motivated “Learn-it-alls”
   
   
   
   JOIN THE TEAM
   
   We’re a remote-first company with teammates clustered around the globe
   
   
   
   CONTACT US
   
   
   
   
   PRESS RELEASES
   
   
   KEITH POYSER APPOINTED AS VICE PRESIDENT FOR EMEA AT HORIZON3.AI
   
   Sep 25, 2024
   
   Business Wire 09/25/2024 Horizon3.ai, a global leader in autonomous security
   solutions, today announced the appointment of Keith Poyser as Vice President
   for EMEA. Poyser brings more than 25 years of experience in driving sales
   growth, strategy, and business...
   
   
   NICHOLAS WARNER JOINS HORIZON3.AI AS INDEPENDENT BOARD DIRECTOR, BRINGING
   OVER TWO DECADES OF CYBERSECURITY EXPERTISE
   
   Sep 19, 2024
   
   Business Wire 09/19/2024 Horizon3.ai, a global leader in autonomous security,
   announces that Nicholas Warner has joined its board as an Independent
   Director. Warner brings over two decades of cybersecurity experience, marked
   by a proven track record in scaling...
   
   
   UNVEILING NODEZERO TRIPWIRES™: HORIZON3.AI ENHANCES PENETRATION TESTING WITH
   INTEGRATED THREAT DETECTION
   
   Sep 10, 2024
   
   Business Wire 09/10/2024 Horizon3.ai, a global leader in autonomous security
   solutions, today unveiled NodeZero Tripwires™, an addition to its product
   suite that integrates attack detection directly into the penetration testing
   process. This first-of-its-kind solution...
   
   
   
   AWARDS
   
   
   TOP 150 CYBERSECURITY VENDORS
   
   
   TECH ASCENSION 2024 BEST CLOUD SECURITY SOLUTION
   
   
   INTELLYX DIGITAL INNOVATOR AWARD
   
   
   
   
   EVENTS
   
   Join us at these upcoming cybersecurity events and workshops
   
   
   
   WEBINAR REPLAYS
   
   Unlock expert insights in our cybersecurity webinar series
   
   16
   October
   
   
   FIRESIDE CHAT WITH CLAYTON DILLARD FROM LEGION CYBERWORKS
   
   
   FIRESIDE CHAT WITH CLAYTON DILLARD FROM LEGION CYBERWORKS
   
   1:30 pmZoom Webinar
   18
   October
   
   
   THE CYBERSECURITY SUMMIT: HOUSTON
   
   
   THE CYBERSECURITY SUMMIT: HOUSTON
   
   7:30 amThe Westin Houston, Memorial City
   22
   October
   
   
   IT-SA EXPO&CONGRESS
   
   
   IT-SA EXPO&CONGRESS
   
   8:00 amExhibition Centre Nuremberg
   22
   October
   
   
   OFFENSIVE SECURITY AWARENESS
   
   
   OFFENSIVE SECURITY AWARENESS
   
   9:15 am
 * Log In
   
 * See a Demo
   
 * Free Trial
   



a
M
 * Solutions
   3 2
   
   
   SECURITY STRATEGIES
   
    * Effective Security
    * Splunk Logging
    * Purple Team Culture
    * Vulnerable ≠ Exploitable
   
   
   
   WHO USES NODEZERO?
   
    * ITOps and SecOps
    * Security Teams
    * Pentesters
   
   THE NODEZERO™ PLATFORM
   
    * Internal Pentesting
    * External Pentesting
    * Cloud Pentesting
    * Rapid Response
    * AD Password Audit
    * Phishing Impact Testing
    * NodeZero Tripwires
    * Documentation
   
   
   
   NODEZERO FOR COMPLIANCE
   
    * PCI Compliance
   
   Schedule a Demo
   Start a Free Trial
   
   
   
   USE CASES
   
    * Education
    * Healthcare
    * Manufacturing
    * Supply Chain
    * Public Sector
    * Large Organizations
    * MSSPs and MSPs
 * Partners
   3 2
   
   
   NODEZERO FOR MSSPS AND MSPS
   
   Let Us Be Your Force Multiplier
   
   
   
   
   NODEZERO FOR PARTNERS
   
   Disruptive Technology That Will Help Drive Revenue
   
   
   
   PARTNER PORTAL
   
   Become a Partner
 * Resources
   3 2
   
   
   INDUSTRY INSIGHTS
   
   
   
   
   ATTACK RESEARCH
   
   
   
   
   RESOURCE CENTER
   
    * Blogs
    * Glossary
    * 2023 Year in Review
   
   
   
   CUSTOMER STORIES
   
   
   CENTURY-LONG INNOVATION: A LEGACY OF OUTPACING CYBER THREATS
   
   Sep 19, 2024
   
   Discover how Komori, a century-old printing giant, is leading the charge in
   cybersecurity innovation by adapting to internet-connected risks and
   utilizing advanced solutions like NodeZero to safeguard their legacy.
   
   
   FUTURE-PROOFING CITIES: LYT’S STORY
   
   Jul 19, 2024
   
   As cities expand with smart technologies to enhance infrastructure, robust
   cybersecurity is crucial. Discover how continuous assessments with NodeZero
   keep urban operations safe and efficient.
   
   
   
   INDUSTRY INSIGHTS
   
   
   8 STEPS FOR ENHANCING CYBERSECURITY POST-BREACH
   
   Oct 1, 2024
   
   A 8-step guide to strengthening cybersecurity post-breach with autonomous
   pentesting and continuous risk assessment using NodeZero.
   
   
   DETECTION DONE DIFFERENTLY: BEST PRACTICES FOR AUTOMATING & IMPROVING THREAT
   DETECTION IN YOUR ORG
   
   Sep 25, 2024
   
   As cyber attacks become increasingly complex, sophisticated, and more
   frequent, security teams need to be able to identify attacks faster and with
   higher accuracy. But users report that current detection workflows have high
   set-up and maintenance needs and introduce lots of noise and time-consuming
   false-positives. In this session, we highlight new approaches to overcome
   those drawbacks:
   
   – Why rapid threat detection is increasingly critical for every security team
   in today’s threat landscape.
   – A new approach to threat detection that doesn’t increase your team’s
   workload.
   – A preview of how NodeZero Tripwires helps you detect threats faster and
   accurately.
   
   
   MASTERING CLOUD SECURITY: UNCOVERING HIDDEN VULNERABILITIES WITH NODEZERO™
   
   Aug 21, 2024
   
   Master cloud security with NodeZero™ Cloud Pentesting. Easily uncover
   vulnerabilities across AWS and Azure, prioritize identity risks, and secure
   your environment in just minutes. Stay ahead of threats.
   
   
   
   ATTACK CONTENT
   
    * Credential Attacks
    * Log4Shell
    * Ransomware
   
   ATTACK PATHS
   
   Routes and methods NodeZero used to gain unauthorized access to networks
   
   
   ON-PREM MISCONFIGURATIONS LEAD TO ENTRA TENANT COMPROMISE 
   
   As enterprises continue to transition on-premises infrastructure and
   information systems to the cloud, hybrid cloud systems have emerged as a
   vital solution, balancing the benefits of both environments to optimize
   performance, scalability, and ease of change on users...
   
   ATTACK BLOGS
   
   
   CVE-2024-28987: SOLARWINDS WEB HELP DESK HARDCODED CREDENTIAL VULNERABILITY
   DEEP-DIVE
   
   Sep 25, 2024
   
   On August 13, 2024, SolarWinds released a security advisory for Web Help Desk
   (WHD) that detailed a deserialization remote code execution vulnerability.
   This vulnerability, CVE-2024-28986, was added to CISA's Known Exploited
   Vulnerability (KEV) catalog two days later...
   
   
   CVE-2024-8190: INVESTIGATING CISA KEV IVANTI CLOUD SERVICE APPLIANCE COMMAND
   INJECTION VULNERABILITY
   
   Sep 16, 2024
   
   On September 10, 2024, Ivanti released a security advisory for a command
   injection vulnerability for it's Cloud Service Appliance (CSA) product.
   Initially, this CVE-2024-8190 seemed uninteresting to us given that Ivanti
   stated that it was an authenticated...
   
   
   
   DISCLOSURES
   
   
   CVE-2024-28987: SOLARWINDS WEB HELP DESK HARDCODED CREDENTIAL VULNERABILITY
   DEEP-DIVE
   
   On August 13, 2024, SolarWinds released a security advisory for Web Help Desk
   (WHD) that detailed a deserialization remote code execution vulnerability.
   This vulnerability, CVE-2024-28986, was added to CISA's Known Exploited
   Vulnerability (KEV) catalog two days later...
 * Company
   3 2
   About
   Events
   
   
   OUR VISION
   
   The future of cyber warfare will run at machine speed
   
   
   
   MEET THE TEAM
   
   Team of Motivated “Learn-it-alls”
   
   
   
   JOIN THE TEAM
   
   We’re a remote-first company with teammates clustered around the globe
   
   
   
   CONTACT US
   
   
   
   
   PRESS RELEASES
   
   
   KEITH POYSER APPOINTED AS VICE PRESIDENT FOR EMEA AT HORIZON3.AI
   
   Sep 25, 2024
   
   Business Wire 09/25/2024 Horizon3.ai, a global leader in autonomous security
   solutions, today announced the appointment of Keith Poyser as Vice President
   for EMEA. Poyser brings more than 25 years of experience in driving sales
   growth, strategy, and business...
   
   
   NICHOLAS WARNER JOINS HORIZON3.AI AS INDEPENDENT BOARD DIRECTOR, BRINGING
   OVER TWO DECADES OF CYBERSECURITY EXPERTISE
   
   Sep 19, 2024
   
   Business Wire 09/19/2024 Horizon3.ai, a global leader in autonomous security,
   announces that Nicholas Warner has joined its board as an Independent
   Director. Warner brings over two decades of cybersecurity experience, marked
   by a proven track record in scaling...
   
   
   UNVEILING NODEZERO TRIPWIRES™: HORIZON3.AI ENHANCES PENETRATION TESTING WITH
   INTEGRATED THREAT DETECTION
   
   Sep 10, 2024
   
   Business Wire 09/10/2024 Horizon3.ai, a global leader in autonomous security
   solutions, today unveiled NodeZero Tripwires™, an addition to its product
   suite that integrates attack detection directly into the penetration testing
   process. This first-of-its-kind solution...
   
   
   
   AWARDS
   
   
   TOP 150 CYBERSECURITY VENDORS
   
   
   TECH ASCENSION 2024 BEST CLOUD SECURITY SOLUTION
   
   
   INTELLYX DIGITAL INNOVATOR AWARD
   
   
   
   
   EVENTS
   
   Join us at these upcoming cybersecurity events and workshops
   
   
   
   WEBINAR REPLAYS
   
   Unlock expert insights in our cybersecurity webinar series
   
   16
   October
   
   
   FIRESIDE CHAT WITH CLAYTON DILLARD FROM LEGION CYBERWORKS
   
   
   FIRESIDE CHAT WITH CLAYTON DILLARD FROM LEGION CYBERWORKS
   
   1:30 pmZoom Webinar
   18
   October
   
   
   THE CYBERSECURITY SUMMIT: HOUSTON
   
   
   THE CYBERSECURITY SUMMIT: HOUSTON
   
   7:30 amThe Westin Houston, Memorial City
   22
   October
   
   
   IT-SA EXPO&CONGRESS
   
   
   IT-SA EXPO&CONGRESS
   
   8:00 amExhibition Centre Nuremberg
   22
   October
   
   
   OFFENSIVE SECURITY AWARENESS
   
   
   OFFENSIVE SECURITY AWARENESS
   
   9:15 am
 * Log In
   
 * See a Demo
   
 * Free Trial
   




PALO ALTO EXPEDITION: FROM N-DAY TO FULL COMPROMISE

by Zach Hanley | Oct 9, 2024 | Attack Blogs, Attack Research, Disclosures

On July 10, 2024, Palo Alto released a security advisory for CVE-2024-5910, a
vulnerability which allowed attackers to remotely reset the Expedition
application admin credentials. While we had never heard of Expedition
application before, it’s advertised as:

> The purpose of this tool is to help reduce the time and efforts of migrating a
> configuration from a supported vendor to Palo Alto Networks. By using
> Expedition, everyone can convert a configuration from Checkpoint, Cisco, or
> any other vendor to a PAN-OS and give you more time to improve the results.

Further reading the documentation, it became clear that this application might
have more attacker value than initially expected. The Expedition application is
deployed on Ubuntu server, interacted with via a web service, and users remotely
integrate vendor devices by adding each system’s credentials.

Figure 1. Integrating a device with credentials

This blog details finding CVE-2024-5910, but also how we ended up discovering 3
additional vulnerabilities which we reported to Palo Alto:

 1. CVE-2024-9464: Authenticated Command Injection
 2. CVE-2024-9465: Unauthenticated SQL Injection
 3. CVE-2024-9466: Cleartext Credentials in Logs


CVE-2024-5910: NO REVERSING NEEDED

Given the description of the vulnerability, it sounded like there existed some
built in function that allowed reseting the admin credential.

> Missing authentication for a critical function in Palo Alto Networks
> Expedition can lead to an Expedition admin account takeover for attackers with
> network access to Expedition.

Googling “palo alto expedition reset admin password”, yielded this forum post as
a top result.

Figure 2. Forum post describing reset php file

Immediately, I see that this PHP file the user is executing locally is hosted in
the folder /var/www/html/, which seems interesting! After several hours and
failing three times to deploy the Expedition application on an old supported
Ubuntu 20.04 server, we finally get the application deployed to test. We find
that a simple request to the that exact endpoint over the web service resets the
admin password.

Figure 3. Reseting the admin password


GIVE AN INCH, TAKE A MILE

While we now have administrative access the Expedition application, this does
not allow us to read all the stored credentials across the system. We turned our
attention to trying to turn this admin access into remote code execution on the
server.

The Expedition web server is hosted via the Apache2 web service where, as we saw
earlier, the /var/www/html directory is used as the web root. A significant
amount of files are served via the web root, many seemingly unnecessarily, and
are exposed via the web services. The Expedition web service utilizes php as the
majority of its code base. Narrowing down the attack surface to files of
interest, we look for php files that include the word “exec” – which if left
unchecked may be an avenue for command injection.

Figure 4. Lots of opportunity

We happen upon the file /var/www/html/bin/CronJobs.php, because it contains both
a call to ‘exec’ and takes user input from the passed request parameters. Any
valid session ID for any role user will allow a user to interact with this
endpoint.

Figure 5. CronJobs.php parsing request parameters

The call to exec appears on line 332 when the user updates an existing cronjob,
and constructs the command to execute from data stored within the local MySQL
database for the corresponding cronjob entry. Importantly, the cronjob entry for
the passed cron_id must exist in the cronjobs database table.

Figure 6. Call to exec() in CronJobs.php

Inspecting how these database entries are created, we find that also within
CronJobs.php that there is a create cronjob function. When the request
parameters specify the action is add, it will create an empty cronjob entry in
the database.

Figure 7. Adding a cronjob entry to the database

We have now populated the cronjob table with a cronjob entry.

Figure 8. Database entry for our request

With a valid cronjob entry in the database, now we must find a way to insert a
malicious command so that it can be retrieved and executed by the call to exec
we found earlier. Looking back at the update or action = set operation where the
call to exec occurs, we find that the command value is constructed in several
ways depending on the passed request parameters.

Figure 9. Logic for how “command” is constructed with our input

Looking at line 278, when the recurrence is Daily, the command is constructed
using 3 variables, 2 of which are user controlled. The cron_id looks like a good
candidate to attempt to inject a command, but careful inspection of the SQL
statement used to insert the malicious command into the database requires a
valid cron_id to insert with.

Figure 10. cron_id must be valid to update

Turning our attention to the other variable, time_today, we see it is
constructed by taking the request parameter start_time and splitting it on the
semicolon character. But never validating that the time is a valid time.

Figure 11. time_today formatted from user input

We craft our request so that the start_time[0] becomes a malicious command to be
executed.

start_time=\"; touch /tmp/hacked ; :

And the final curl request looks like the following:

> curl -ik ‘https://10.0.40.64/bin/CronJobs.php’ -H ‘Cookie:
> PHPSESSID=rpagjtqkqkf5269be9ro5597r7’ -d
> “action=set&type=cron_jobs&project=pandb&name=test&recurrence=Daily&start_time=\”;
> touch /tmp/hacked ; :&cron_id=1″

Figure 12. Resulting database entry after updating with malicious request

This vulnerability was assigned CVE-2024-9466. Our proof of concept can be found
here.

Figure 13. www-data reverse shell


POST-EXPLOITATION

Once you have access to the server as the www-data user from the above
vulnerability, pilfering credentials out of the database is straight forward.

To dump all API keys and cleartext credentials execute the following SQL query:

mysql -u root -p'paloalto' pandbRBAC -e 'SELECT
hostname,key_name,api_key,user_name,user_password FROM device_keys dk, devices d
WHERE dk.device_id=d.id'

Figure 14. Credentials for integrated devices

While looking through the system for any other credentials, we happened upon a
file called /home/userSpace/devices/debug.txt. This world-readable file
contained the raw request logs of the Expedition server when it exchanged
cleartext credentials for API keys in the device integration process. The
Expedition server only stores the API keys, and is not supposed to retain the
cleartext credentials, but this log file showed all the credentials used in
cleartext. This issue was reported and assigned CVE-2024-9466.

Figure 15. debug.txt logging cleartext credentials


UNAUTHENTICATED SQL INJECTION TO CREDENTIAL PILFERING

We still had a feeling more vulnerabilities lurked in the application, and went
back to analyzing the multitude of files exposed in the web root. Narrowing down
the attack surface to files of interest, we look for PHP files that include the
word “GET”, but do not include the Authentication.php or sessionControl.php
authentication logic – which may indicate an unauthenticated endpoint which
takes request parameters as input.

Figure 16. Exposed endpoints without authentication

We happen upon the file
/var/www/html/bin/configurations/parsers/Checkpoint/CHECKPOINT.php. This file is
reachable unauthenticated, takes HTTP request parameters as inputs, and then
constructs SQL queries with that input.

Figure 17. Endpoint parses request parameters

Looking for a path to SQL injection, we first find that when the action=import,
other request parameters we control are parsed to create the variables routeName
and id and used in a string format to construct a query on line 73.

Figure 18. SQL injection via routeName variable

Unfortunately, the table that is being selected in the query does not exist by
default – so queries will fail even if we can construct a malicious query.
Fortunately, the code path when action=get has logic that will create this table
in the given database.


Figure 19. Create table via GET action

An unauthenticated curl request like the below will create the
policies_to_import_Checkpoint table in the pandbRBAC database.

curl -ivk
'https://10.0.40.64/bin/configurations/parsers/Checkpoint/CHECKPOINT.php' -d
"action=get&type=existing_ruleBases&project=pandbRBAC"


Figure 20. Table successfully created from our request

Returning to the logic when action=import, we now can construct a curl request
which won’t immediately fail. The most simple version of SQL injection as an
example with an unauthenticated curl request:

curl -ivk
'https://10.0.40.64/bin/configurations/parsers/Checkpoint/CHECKPOINT.php' -d
"action=import&type=test&project=pandb&signatureid=1 OR 1=1"

Will cause the query to hit the database like so:

Figure 21. Succesful SQL injection

Given we have unauthenticated SQL injection, tables of interest to leak data via
blind SLEEP based payloads are the “users” and “devices” tables which contain
password hashes and device API keys like demonstrated in the previous
post-exploitation section.

Firing up the SQLMAP tool, and supplying it the endpoint and parameter to inject
and table to dump, it successfully dumps the entire users table.

python3 sqlmap.py -u
"https://10.0.40.64/bin/configurations/parsers/Checkpoint/CHECKPOINT.php?action=im
port&type=test&project=pandbRBAC&signatureid=1" -p signatureid -T users --dump

Figure 22. Dumping entire table of choice via BLIND time-based SQL payloads

This vulnerability was assigned CVE-2024-9465. Our proof of concept can be found
here.


INDICATORS OF COMPROMISE

The file /var/apache/log/access.log will log HTTP requests and should be
inspected for the endpoints abused in these vulnerabilities.

 * /OS/startup/restore/restoreAdmin.php – Reset admin credentials
 * /bin/Auth.php – Authenticate with reset admin credentials
 * /bin/CronJobs.php – Insert malicious SQL data for command injection
 * /bin/configurations/parsers/Checkpoint/CHECKPOINT.php – Unauthenticated SQL
   injection to exfiltrate database data

Figure 23. Request logs


EXPOSURE

At the time of writing, there are approximately 23 Expedition servers exposed to
the internet, which makes sense given it doesn’t seem to be an application that
would need to be exposed given its function.

Figure 24. Shodan exposure


DISCLOSURE TIMELINE

11 July 2024 – Reported authenticated command injection to Palo Alto PSIRT

12 July 2024 – Reported unauthenticated SQL injection to Palo Alto PSIRT

12 July 2024 – Palo Alto acknowledges receipt of both issues

28 July 2024 – Reported cleartext credentials in logs to Palo Alto PSIRT

1 August 2024 – Palo Alto acknowledges receipt of issue

9 October 2024 – Palo Alto Advisory for CVE-2024-9464, CVE-2024-9465,
CVE-2024-9466 released

9 October 2024 – This blog post


NODEZERO

Figure 25. Dumping credentials from debug.txt

Horizon3.ai clients and free-trial users alike can run a NodeZero operation to
determine the exposure and exploitability of this issue.

SIGN UP FOR A FREE TRIAL AND QUICKLY VERIFY YOU’RE NOT EXPLOITABLE.

Start Your Free Trial




HOW CAN NODEZERO HELP YOU?

Let our experts walk you through a demonstration of NodeZero, so you can see how
to put it to work for your company.

Schedule a Demo

Contact Us

info@horizon3.ai
press@horizon3.ai
650-445-4457

FOLLOW US





SUBSCRIBE TO COMMUNITY UPDATES


© 2022 All Rights Reserved.  |   Privacy Policy   |   Support Policy   |   Terms
of Service
We use cookies on our website to give you the most relevant experience by
remembering your preferences and repeat visits. By clicking “Accept All”, you
consent to the use of ALL the cookies. However, you may visit "Cookie Settings"
to provide a controlled consent.
Cookie SettingsAccept All
Manage consent
Close

PRIVACY OVERVIEW

This website uses cookies to improve your experience while you navigate through
the website. Out of these, the cookies that are categorized as necessary are
stored on your browser as they are essential for the working of basic
functionalities of the ...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
These cookies ensure basic functionalities and security features of the website,
anonymously.

CookieDurationDescription__cfruidsessionCloudflare sets this cookie to identify
trusted web traffic._GRECAPTCHA5 months 27 daysThis cookie is set by the Google
recaptcha service to identify bots to protect the website against malicious spam
attacks.cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent
plugin, this cookie is used to record the user consent for the cookies in the
"Advertisement" category .cookielawinfo-checkbox-analytics11 monthsThis cookie
is set by GDPR Cookie Consent plugin. The cookie is used to store the user
consent for the cookies in the category
"Analytics".cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR
cookie consent to record the user consent for the cookies in the category
"Functional".cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR
Cookie Consent plugin. The cookies is used to store the user consent for the
cookies in the category "Necessary".cookielawinfo-checkbox-others11 monthsThis
cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the
user consent for the cookies in the category
"Other.cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR
Cookie Consent plugin. The cookie is used to store the user consent for the
cookies in the category "Performance".CookieLawInfoConsent1 yearRecords the
default button state of the corresponding category & the status of CCPA. It
works only in coordination with the primary cookie.OptanonConsent1 yearOneTrust
sets this cookie to store details about the site's cookie category and check
whether visitors have given or withdrawn consent from the use of each
category.viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie
Consent plugin and is used to store whether or not user has consented to the use
of cookies. It does not store any personal data.

Functional
Functional
Functional cookies help to perform certain functionalities like sharing the
content of the website on social media platforms, collect feedbacks, and other
third-party features.

CookieDurationDescriptionAnalyticsSyncHistory1 monthLinkedIn - Used to store
information about the time a sync took place with the lms_analytics
cookiebcookie2 yearsLinkedIn sets this cookie from LinkedIn share buttons and ad
tags to recognize browser ID.bscookie2 yearsLinkedIn sets this cookie to store
performed actions on the website.langsessionLinkedIn sets this cookie to
remember a user's language setting.li_gc2 yearsLInkedIn Used to store consent of
guests regarding the use of cookies for non-essential purposeslidc1 dayLinkedIn
sets the lidc cookie to facilitate data center selection.UserMatchHistory1
monthLinkedIn sets this cookie for LinkedIn Ads ID syncing.

Performance
Performance
Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.

CookieDurationDescription_calendly_session21 daysCalendly, a Meeting Schedulers,
sets this cookie to allow the meeting scheduler to function within the website
and to add events into the visitor’s calendar.

Analytics
Analytics
Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics the number of
visitors, bounce rate, traffic source, etc.

CookieDurationDescription_ga2 yearsThe _ga cookie, installed by Google
Analytics, calculates visitor, session and campaign data and also keeps track of
site usage for the site's analytics report. The cookie stores information
anonymously and assigns a randomly generated number to recognize unique
visitors._ga_V462VSRXXS2 yearsThis cookie is installed by Google
Analytics.6suuid2 years6sense is a B2B predictive intelligence engine for
marketing and sales.CONSENT2 yearsYouTube sets this cookie via embedded
youtube-videos and registers anonymous statistical data.pardotpastThe pardot
cookie is set while the visitor is logged in as a Pardot user. The cookie
indicates an active session and is not used for tracking.visitorId1
yearSalesforce

Advertisement
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and
marketing campaigns. These cookies track visitors across websites and collect
information to provide customized ads.

CookieDurationDescriptionVISITOR_INFO1_LIVE5 months 27 daysA cookie set by
YouTube to measure bandwidth that determines whether the user gets the new or
old player interface.YSCsessionYSC cookie is set by Youtube and is used to track
the views of embedded videos on Youtube pages.yt.innertube::nextIdneverThis
cookie, set by YouTube, registers a unique ID to store data on what videos from
YouTube the user has seen.yt.innertube::requestsneverThis cookie, set by
YouTube, registers a unique ID to store data on what videos from YouTube the
user has seen.

Others
Others
Other uncategorized cookies are those that are being analyzed and have not been
classified into a category as yet.

CookieDurationDescriptionlpv97107330 minutesNo description

SAVE & ACCEPT
Powered by