CVE 2024 0012 & CVE 2024 9474 (#1171)

Co-authored-by: GitHub Action <[email protected]>
Co-authored-by: Sebastien Blot <[email protected]>

.appsec-tests/vpatch-CVE-2024-0012/config.yaml

@@ -0,0 +1,5 @@
+
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-0012.yaml
+nuclei_template: test-CVE-2024-0012.yaml

.appsec-tests/vpatch-CVE-2024-0012/test-CVE-2024-0012.yaml

@@ -0,0 +1,21 @@
+
+id: test-CVE-2024-0012
+info:
+  name: test-CVE-2024-0012
+  author: crowdsec
+  severity: info
+  description: test-CVE-2024-0012 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        GET /php/ztp_gate.php/.js.map HTTP/1.1
+        Host: {{Hostname}}
+        X-PAN-AUTHCHECK: off
+    cookie-reuse: true
+    matchers:
+      - type: dsl
+        condition: and
+        dsl:
+          - "status_code_1 == 403"
+

.appsec-tests/vpatch-CVE-2024-27956/test-CVE-2024-27956.yaml

@@ -11,7 +11,9 @@ http:
         POST /wp-content/plugins/wp-automatic/inc/csv.php HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
+
         q=INSERT+INTO+wp_users+%28user_login%2C+user_pass%2C+user_nicename%2C+user_email%2C+user_url%2C+user_registered%2C+user_status%2C+display_name%29+VALUES+%28%27eviladmin%27%2C+%27%24P%24BASbMqW0nlZRux%2F2IhCw7AdvoNI4VT0%27%2C+%27eviladmin%27%2C+%27eviladmin%40gmail.com%27%2C+%27http%3A%2F%2F127.0.0.1%3A8000%27%2C+%272024-04-30+16%3A26%3A43%27%2C+0%2C+%27eviladmin%27%29&auth=%00&integ=09956ea086b172d6cf8ac31de406c4c0
+        
     cookie-reuse: true
     matchers:
       - type: dsl

.appsec-tests/vpatch-CVE-2024-9474/config.yaml

@@ -0,0 +1,5 @@
+
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-9474.yaml
+nuclei_template: test-CVE-2024-9474.yaml

.appsec-tests/vpatch-CVE-2024-9474/test-CVE-2024-9474.yaml

@@ -0,0 +1,24 @@
+
+id: test-CVE-2024-9474
+info:
+  name: test-CVE-2024-9474
+  author: crowdsec
+  severity: info
+  description: test-CVE-2024-9474 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /php/utils/createRemoteAppwebSession.php/watchTowr.js.map HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        user=`echo $(uname -a) > /var/appweb/htdocs/unauth/watchTowr.php`&userRole=superuser&remoteHost=&vsys=vsys1
+        
+    cookie-reuse: true
+    matchers:
+      - type: dsl
+        condition: and
+        dsl:
+          - "status_code_1 == 403"
+

.tests/CVE-2024-0012/CVE-2024-0012.log

@@ -0,0 +1,2 @@
+10.0.0.1 - - [20/Nov/2024:04:13:06 +0000] "GET /index.php/.js.map HTTP/1.1" 404 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" "-"
+10.0.0.2 - - [20/Nov/2024:04:13:06 +0000] "GET /php/ztp_gate.php/.js.map HTTP/1.1" 404 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" "-"

.tests/CVE-2024-0012/config.yaml

@@ -0,0 +1,11 @@
+parsers:
+    - crowdsecurity/nginx-logs
+    - crowdsecurity/syslog-logs
+    - crowdsecurity/dateparse-enrich
+scenarios:
+    - ./scenarios/crowdsecurity/CVE-2024-0012.yaml
+postoverflows:
+    - ""
+log_file: CVE-2024-0012.log
+log_type: nginx
+ignore_parsers: true

.tests/CVE-2024-0012/scenario.assert

@@ -0,0 +1,37 @@
+len(results) == 2
+"10.0.0.2" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["10.0.0.2"].IP == "10.0.0.2"
+results[0].Overflow.Sources["10.0.0.2"].Range == ""
+results[0].Overflow.Sources["10.0.0.2"].GetScope() == "Ip"
+results[0].Overflow.Sources["10.0.0.2"].GetValue() == "10.0.0.2"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "CVE-2024-0012.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/php/ztp_gate.php/.js.map"
+results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
+results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.2"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-11-20T04:13:06Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2024-0012"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 1
+"10.0.0.1" in results[1].Overflow.GetSources()
+results[1].Overflow.Sources["10.0.0.1"].IP == "10.0.0.1"
+results[1].Overflow.Sources["10.0.0.1"].Range == ""
+results[1].Overflow.Sources["10.0.0.1"].GetScope() == "Ip"
+results[1].Overflow.Sources["10.0.0.1"].GetValue() == "10.0.0.1"
+results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "CVE-2024-0012.log"
+results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[1].Overflow.Alert.Events[0].GetMeta("http_path") == "/index.php/.js.map"
+results[1].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[1].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
+results[1].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET"
+results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[1].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.1"
+results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-11-20T04:13:06Z"
+results[1].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2024-0012"
+results[1].Overflow.Alert.Remediation == true
+results[1].Overflow.Alert.GetEventsCount() == 1

.tests/CVE-2024-9474/CVE-2024-9474.log

@@ -0,0 +1 @@
+10.0.0.1 - - [20/Nov/2024:04:13:06 +0000] "POST /php/utils/createRemoteAppwebSession.php/watchTowr.js.map HTTP/1.1" 404 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" "-"

.tests/CVE-2024-9474/config.yaml

@@ -0,0 +1,11 @@
+parsers:
+    - crowdsecurity/nginx-logs
+    - crowdsecurity/syslog-logs
+    - crowdsecurity/dateparse-enrich
+scenarios:
+    - ./scenarios/crowdsecurity/CVE-2024-9474.yaml
+postoverflows:
+    - ""
+log_file: CVE-2024-9474.log
+log_type: nginx
+ignore_parsers: true

.tests/CVE-2024-9474/scenario.assert

@@ -0,0 +1,19 @@
+len(results) == 1
+"10.0.0.1" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["10.0.0.1"].IP == "10.0.0.1"
+results[0].Overflow.Sources["10.0.0.1"].Range == ""
+results[0].Overflow.Sources["10.0.0.1"].GetScope() == "Ip"
+results[0].Overflow.Sources["10.0.0.1"].GetValue() == "10.0.0.1"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "CVE-2024-9474.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/php/utils/createRemoteAppwebSession.php/watchTowr.js.map"
+results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "404"
+results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
+results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "POST"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "http"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.1"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-11-20T04:13:06Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2024-9474"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 1

appsec-rules/crowdsecurity/vpatch-CVE-2024-0012.yaml

@@ -0,0 +1,26 @@
+
+name: crowdsecurity/vpatch-CVE-2024-0012
+description: "PanOS - Authentication Bypass (CVE-2024-0012)"
+rules:
+  - and:
+    - zones:
+      - HEADERS
+      variables:
+       - x-pan-authcheck
+      transform:
+      - lowercase
+      match:
+        type: equals
+        value: off
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "PanOS - Authentication Bypass"
+  classification:
+   - cve.CVE-2024-0012
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-306

appsec-rules/crowdsecurity/vpatch-CVE-2024-9474.yaml

@@ -0,0 +1,45 @@
+
+name: crowdsecurity/vpatch-CVE-2024-9474
+description: "PanOS - Privilege Escalation (CVE-2024-9474)"
+rules:
+  - and:
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: contains
+        value: /php/utils/createremoteappwebsession.php/
+    - zones:
+       - URI
+      transform:
+        - lowercase
+      match:
+        type: endsWith
+        value: .js.map
+    - zones:
+      - BODY_ARGS
+      variables:
+       - user
+      transform:
+      - lowercase
+      match:
+        type: regex
+        value: "[$;|&`>]"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "PanOS - Privilege Escalation (CVE-2024-9474)"
+  classification:
+   - cve.CVE-2024-9474
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-78

collections/crowdsecurity/appsec-virtual-patching.yaml

@@ -71,6 +71,8 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2024-51567
 - crowdsecurity/vpatch-CVE-2024-27956
 - crowdsecurity/vpatch-CVE-2024-27954
+- crowdsecurity/vpatch-CVE-2024-0012
+- crowdsecurity/vpatch-CVE-2024-9474
 author: crowdsecurity
 contexts:
 - crowdsecurity/appsec_base

collections/crowdsecurity/http-cve.yaml

@@ -27,6 +27,8 @@ scenarios:
   - crowdsecurity/CVE-2023-49103
   - crowdsecurity/CVE-2017-9841
   - crowdsecurity/CVE-2024-38475
+  - crowdsecurity/CVE-2024-0012
+  - crowdsecurity/CVE-2024-9474
 author: crowdsecurity
 description: "Detect CVE exploitation in http logs"
 tags:

scenarios/crowdsecurity/CVE-2024-0012.md

@@ -0,0 +1,3 @@
+Detect exploitation of PanOS CVE-2024-0012
+
+Ref: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

scenarios/crowdsecurity/CVE-2024-0012.yaml

@@ -0,0 +1,23 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/CVE-2024-0012
+description: "Detect CVE-2024-0012 exploitation attempts"
+filter: |
+  let request = Lower(evt.Parsed.request);
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && 
+  evt.Meta.http_status in ['404', '403'] &&
+  (request matches '/php/.*/\\.js\\.map' || request matches '/index.php/.*\\.js\\.map')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2024-0012
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "CVE-2024-0012"
+  service: panos

scenarios/crowdsecurity/CVE-2024-9474.md

@@ -0,0 +1,3 @@
+Detect exploitation of PanOS CVE-2024-9474
+
+Ref: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

scenarios/crowdsecurity/CVE-2024-9474.yaml

@@ -0,0 +1,24 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/CVE-2024-9474
+description: "Detect CVE-2024-9474 exploitation attempts"
+filter: |
+  let request = Lower(evt.Parsed.request);
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && 
+  evt.Meta.http_status in ['404', '403'] &&
+  evt.Meta.http_verb == 'POST' &&
+  request contains '/php/utils/createremoteappwebsession.php/watchtowr.js.map'
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+labels:
+  type: exploit
+  remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2024-9474
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "CVE-2024-9474"
+  service: panos