- PALO ALTO GLOBALPROTECT CONFIGURATION FULL
- PALO ALTO GLOBALPROTECT CONFIGURATION SOFTWARE
- PALO ALTO GLOBALPROTECT CONFIGURATION PROFESSIONAL
- PALO ALTO GLOBALPROTECT CONFIGURATION SERIES
When triggering a failing VPN connection to 127.0.0.1 as user johndoe, PanGPS will attempt to restore the portal configuration file PanPortalCfg_1662c17069ca30beb328f3ccdffe14fe.dat from the default file PanPortalCfg.dat. Thus, the that is part of the configuration file names can be computed as follows: Overwriting ld.so.preloadĭuring our testing, we used the portal 127.0.0.1 and the username johndoe. Furthermore, the dynamic linker is rather forgiving when parsing ld.so.preload files that contain only a single valid path that is embedded within seemingly invalid binary data. This includes processes that are created from executable files with the SUID bit set. This file contains a newline-separated list of paths to shared objects that will be preloaded into any newly created process of a dynamically linked executable. After evaluating potential targets that could be overwritten, the file /etc/ld.so.preload, which is interpreted by the dynamic linker, was chosen. We found that this route would be most effective as it does not require any network connectivity or interacting with a VPN server.
![palo alto globalprotect configuration palo alto globalprotect configuration](https://knowledgedirectory.files.wordpress.com/2012/03/cmosd007.jpg)
To exploit this behavior for local privilege escalation (LPE), we focused on the restoration of PanPortalCfg_.dat after a failed VPN connection attempt.
PALO ALTO GLOBALPROTECT CONFIGURATION FULL
However, in order to leverage the full potential of this vulnerability, one also needs to be able to control the data that gets written into these *.dat files. Further analysis of PanGPS confirmed that the *.dat files are accessed in such a way that symbolic links are resolved, and the files pointed to are truncated before they are overwritten.It is therefore possible to create and/or overwrite arbitrary files with root permissions by replacing the *.dat files with symbolic links and causing PanGPS to attempt to write to them.
![palo alto globalprotect configuration palo alto globalprotect configuration](https://image4.slideserve.com/7841738/2018-updated-exams-palo-alto-networks-pcnse-practice-exam-n.jpg)
PanPortalCfg_* contained an AES-encrypted XML document that resembles a portal configuration file. PanPUAC_* contained an AES-encrypted authentication cookie received during negotiation. Furthermore, the files _.dat are written as well.Īnalysis of PanGPS for Linux revealed that the token represents the hexadecimal MD5 digest computed from the ASCII-encoded string _ and that the *.dat files are all encrypted with AES-256-CBC, using a fixed key and initialization vector:ĭuring our testing, PanPCD_* contained a single AES-encrypted null byte. If the configuration retrieval is successful, the configuration is written to PanPortalCfg_.dat.If the configuration retrieval step during VPN connection negotiation fails, PanGPS tries to restore the file PanPortalCfg_.dat from the default configuration file PanPortalCfg.dat.These files are created on at least two occasions: GlobalProtect directory that resides inside the home directory of the logged-in user: It was observed that, under certain conditions, PanGPS for Linux creates root -owned files in the. It is used by unprivileged users to interface with the other services (e.g., to trigger connecting to or disconnecting from the VPN, retrieve VPN status, etc.). globalprotect : This executable implements a command-line interface (CLI).It relays commands and responses between globalprotect and PanGPS via a TCP connection to 127.0.0.1:4767. PanGPA : The PanGPA daemon is automatically started once per log-in session and runs with the privileges of the logged-in user.The daemon listens for TCP connections on 127.0.0.1:4767. PanGPS is responsible for negotiating VPN connections, and it configures network devices, routes, etc. PanGPS: The PanGPS daemon is started once at boot time.
![palo alto globalprotect configuration palo alto globalprotect configuration](https://s1.manualzz.com/store/data/009530392_1-6a868aaa3ba6e7e0418b9cdf9868b7c5.png)
The Linux GlobalProtect client consists of three executable files: Vendor Reference: The CVE-2019-17436 Vulnerability Vulnerability Type: Arbitrary Privileged File WriteĮstimated Risk: High (Local Privilege Escalation to UID 0) GlobalProtect for macOS (verified on Mojave version 10.14.5)Īffected Version: 5.0.4 (and earlier), 4.1.12 (and earlier) Quick FactsĪffected Software: GlobalProtect for Linux (verified on Ubuntu 18.04.2 LTS)
PALO ALTO GLOBALPROTECT CONFIGURATION PROFESSIONAL
We would like to thank Palo Alto Networks for handling and addressing the reported issues in a timely and professional manner. Fixed versions were released on October 15, 2019, by Palo Alto Networks.
PALO ALTO GLOBALPROTECT CONFIGURATION SOFTWARE
The vulnerabilities allowed unprivileged users to reliably escalate to root or SYSTEM on machines where the GlobalProtect software is used. To recap, the CrowdStrike ® Intelligence Advanced Research Team discovered two distinct vulnerabilities in the Windows, Linux and macOS versions of the Palo Alto Networks GlobalProtect VPN client (CVE-2019-17435, CVE-2019-17436). The first blog covered this exploitation on Windows.
PALO ALTO GLOBALPROTECT CONFIGURATION SERIES
This is the second blog in a two-part series covering the exploitation of the Palo Alto Networks GlobalProtect VPN client running on Linux and macOS.