Allele Security Alert
ASA-2019-00460
Identifier(s)
ASA-2019-00460, PAN-SA-2019-0020, CVE-2019-1579
Title
Unauthenticated remote code execution due to format string vulnerability
Vendor(s)
Palo Alto Networks
Product(s)
Palo Alto Networks PAN-OS
Affected version(s)
Palo Alto Networks PAN-OS version 7.1.18 and earlier
Palo Alto Networks PAN-OS version 8.0.11 and earlier
Palo Alto Networks PAN-OS version 8.1.2 and earlier releases
Fixed version(s)
Palo Alto Networks PAN-OS version 7.1.19 and later
Palo Alto Networks PAN-OS version 8.0.12 and later
Palo Alto Networks PAN-OS version 8.1.3 and later releases
Proof of concept
Yes
Description
There’s an unauthenticated remote code execution (RCE) vulnerability in Palo Alto Networks GlobalProtect Portal and GlobalProtect Gateway interface products. The vulnerability is a format string issue during parameter extraction when connecting to /sslmgr.
Technical details
The bug is very straightforward. It is just a simple format string vulnerability with no authentication required! The sslmgr
is the SSL gateway handling the SSL handshake between the server and clients. The daemon is exposed by the Nginx reverse proxy and can be touched via the path /sslmgr
.
$ curl https://global-protect/sslmgr
<?xml version="1.0" encoding="UTF-8" ?>
<clientcert-response>
<status>error</status>
<msg>Invalid parameters</msg>
</clientcert-response>
During the parameter extraction, the daemon searches the string scep-profile-name
and pass its value as the snprintf
format to fill in the buffer. That leads to the format string attack. You can just crash the service with %n
!
POST /sslmgr HTTP/1.1
Host: global-protect
Content-Length: 36
scep-profile-name=%n%n%n%n%n...
Credits
Orange Tsai and Meh Chang
Reference(s)
Palo Alto Networks Product Vulnerability – Security Advisories
https://securityadvisories.paloaltonetworks.com/(X(1)S(1mczpnil050pdwtagkwkoumn))/
PAN-SA-20190020
https://securityadvisories.paloaltonetworks.com/(X(1)S(1mczpnil050pdwtagkwkoumn))/Home/Detail/158
Attacking SSL VPN – Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!
https://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
Attacking SSL VPN – Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!
https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/
CVE-2019-1579
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579
CVE-2019-1579
https://nvd.nist.gov/vuln/detail/CVE-2019-1579
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 24, 2019