ASA-2019-00460 – Palo Alto GlobalProtect Portal/Gateway Interface: Unauthenticated remote code execution due to format string vulnerability

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00460

Identifier(s)

ASA-2019-00460, PAN-SA-2019-0020, CVE-2019-1579

Title

Unauthenticated remote code execution due to format string vulnerability

Vendor(s)

Palo Alto Networks

Product(s)

Palo Alto Networks PAN-OS

Affected version(s)

Palo Alto Networks PAN-OS version 7.1.18 and earlier
Palo Alto Networks PAN-OS version 8.0.11 and earlier
Palo Alto Networks PAN-OS version 8.1.2 and earlier releases

Fixed version(s)

Palo Alto Networks PAN-OS version 7.1.19 and later
Palo Alto Networks PAN-OS version 8.0.12 and later
Palo Alto Networks PAN-OS version 8.1.3 and later releases

Proof of concept

Yes

Description

There’s an unauthenticated remote code execution (RCE) vulnerability in Palo Alto Networks GlobalProtect Portal and GlobalProtect Gateway interface products. The vulnerability is a format string issue during parameter extraction when connecting to /sslmgr.

Technical details

The bug is very straightforward. It is just a simple format string vulnerability with no authentication required! The sslmgr is the SSL gateway handling the SSL handshake between the server and clients. The daemon is exposed by the Nginx reverse proxy and can be touched via the path /sslmgr.

$ curl https://global-protect/sslmgr
<?xml version="1.0" encoding="UTF-8" ?>
        <clientcert-response>
                <status>error</status>
                <msg>Invalid parameters</msg>
        </clientcert-response>

During the parameter extraction, the daemon searches the string scep-profile-name and pass its value as the snprintf format to fill in the buffer. That leads to the format string attack. You can just crash the service with %n!

POST /sslmgr HTTP/1.1
Host: global-protect
Content-Length: 36

scep-profile-name=%n%n%n%n%n...

Credits

Orange Tsai and Meh Chang

Reference(s)

Palo Alto Networks Product Vulnerability – Security Advisories
https://securityadvisories.paloaltonetworks.com/(X(1)S(1mczpnil050pdwtagkwkoumn))/

PAN-SA-20190020
https://securityadvisories.paloaltonetworks.com/(X(1)S(1mczpnil050pdwtagkwkoumn))/Home/Detail/158

Attacking SSL VPN – Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!
https://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html

Attacking SSL VPN – Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!
https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/

CVE-2019-1579
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579

CVE-2019-1579
https://nvd.nist.gov/vuln/detail/CVE-2019-1579

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.