Felix Wilhelm presented in his talk various ways to attack his new target – The PA-500 which is produced by Palo Alto Networks.
He discovered vulnerabilities in 3 different exposed aspects of the device. The first vulnerability occurred inside of an unauthenticated API from the Management-Website which could only be accessed within the Admin Network. This vulnerability was a typical off-by-one Command Injection, which could be abused by reaching out to the API with a special client=wget Request.
Some Checks needed to be bypassed which could be done with about more than 1024 “A” s inside of the POST body.
Further he explained as well how the User-ID Feature can be exploited in a special scenario which can be pretty common inside of corporate Networks. The attached picture shows the potential exploitable Setup.
The problem lies within the User-ID probing Feature which asks the clients for their authenticated User through Netbios/WMI. This Service is potentially reached within the whole corporate Network and could lead to unauthorized access to several Resources.
The exploit was not published since it was still going through the responsible disclosure process.
The last Exploit which has the most impact hits the GlobalProtect feature which is a world exposed SSL-VPN/IPsec Service which can be also used from smartphones. This Service is implemented on top of a Web service (Appweb3 + PHP) and some functionality does not require authentication. Felix Wilhelm talked about the limited attack surface he had when he triggered the Overflow with “Ä” s which limited him to only use UTF-8 characters and the first appearance of data execution prevention (DEP) which is called eXecute Inhibit on MIPS64.
The basic mistake he illustrated with the following picture was not to sanitize a valid pure utf8 input.
He could circumvent all Protections with some precision Heap spray and gained Code-Execution on the System which delivered him a root Shell.
To Wrap his talk up he talked about different Recommendations for the manufacturer and highlighted the professional handling on behalf of Palo Alto and was quite positive about the future development of the devices.
The slides of his Talk are here.