Information

allow local users to gain privileges by leveraging improper sanitization of the root_reboot local invocation.

Bug

Attached Image

PoC

The issue is a lack of user validation when accepting input from the user by the binary root_reboot (which is a SUID file, allows regular users to run this as root).

This binary accepts an argument that goes inside the GLIBC system() call

This allows, a local user or a remote attacker with low privileges to become a root user on the PANFW machine.


Attachments:
CVE-2016-1712_IDA.jpeg

References:
http://securityadvisories.paloaltonetworks.com/Home/Detail/45?AspxAutoDetectCookieSupport=1