A Commitment to Getting It Right: Palo Alto Networks’ Expedition Migration Tool

November 29th, 2018 by Quentin Rhoads

Versions Tested:

1.0.106

 

CVE Numbers:

CVE-2018-10142

 

Security Advisories:

PAN-SA-2018-0016 – https://securityadvisories.paloaltonetworks.com/Home/Detail/135

 

Background:

During a recent penetration test for a client, I came across a tool called MigrationTool from Palo Alto Networks. The tool was littered with issues, like the unauthenticated disclosure of passwords, hashes, versions, and more that were uncovered.

So, what’s a SECTION8 team member to do? I quickly grabbed my screenshots and informed Palo Alto Networks of the chaos I uncovered. To my dismay, Palo Alto set me straight and told me they no longer support this product — they, instead, revamped it into a tool called Expedition. They did, however, give me some news that sparked some happiness; Palo Alto Networks’ PSIRT team encouraged me to look at Expedition for any similar issues! A company that wants their products actively tested? The game was on at that point!

 

Issue:

Luckily Expedition is free and comes in a VM which makes researching it straightforward. My goal was to identify the same issues that existed within MigrationTool, but that goal was quickly squashed. It was very apparent that Palo Alto Networks made some serious changes. A shout out to Palo Alto Networks commitment to quality.

After searching through the web code that required no authentication in order to access, I came across a file named checkPidStatus.php.

Figure 1
Figure 1: checkPidStatus.php Code

 

After looking at the code, it appeared its main function was to check the existence of a running process by doing the following:

  • Ingest a HTTP GET request with the variable pid
  • Pass the variable pid to a function which checks whether the specific process is running and return the result true or false.

However, the way the code checked for the running processes was to use the function file_exists and check in the /proc/ directory. Due to the lack of input sanitization, this allowed any unauthenticated user to use path traversal and check the existence of any file on the file system.

 

Proof of Concept:

As an unauthenticated user, send a HTTP GET request to http://<IP>/API/process/checkPidStatus.php with the variable pid in the body of request. Replace the pid value with a path traversal payload such as /../etc/passwd. If the file exists, the response will return with isRunning: true.

Figure 2
Figure 2: A file that exists

 

Figure 3
Figure 3: A file that doesn’t exist

 

Resources:

Proof of Concept: https://github.com/Critical-Start/Section-8/blob/master/CVE-2018-10142/expedition_sploit.py

 

Timeline:

2018-10-17 – Vendor Disclosure

2018-10-17 – Vendor Responded Confirming the Vulnerability

2018-11-20 – Vendor Informed Vulnerability Has Been Fixed and Issued CVE-2018-10142

2018-12-03 – Public Release

 

Credit:

Discovered by Quentin (Paragonsec) Rhoads-Herrera of CRITICALSTART – SECTION8.


Critical Start is the fastest-growing cybersecurity integrator in North America. Our mission is simple: protect our customers’ brands and reduce their business risk. We do this for organizations of all sizes through our award-winning portfolio of end-to-end security services – from security-readiness assessments using our proven framework (the Defendable Network) to the delivery of managed detection and response, incident response, professional services, and product fulfillment. Critical Start has been named to the CRN 2018 Tech Elite 250 and top 100 Security MSPs lists.