Forum:
greetings fellow scene queens, emo wolf girls, and sloppy ghosts. today i have a special treat for you (and no, this time it's not a bottle of piss).
after writing an exploit for CVE-2019-1579, a format string bug in globalprotect, i wrote a tool to look for format string bugs using ghidra. i ran this script against a few dozen libraries and executables, and as it turns out, there are a lot of format string issues in pan-os.
one of the more interesting vulnerabilities i found with this script was in panmodule.so. panmodule.so is a native library which is called by a lot of php scripts, so a format string vulnerability likely means remote code execution. when i ran my script on a panmodule.so, i immediately got a hit telling me that there was a suspicious call to pan_slog in the handleNTLMMsg function. pan_slog writes to the syslog, and accepts format string arguments, so if i can control that format string i'd be a very happy ghost.
the format string argument for pan_slog comes from encodebuf, which is constructed using outbuf, keystr, and vsysstr. vsysstr is passed as an argument to handleNTLMMsg, and the only restriction on it is that is has to return 1 when passed to strtol, keystr is an address returned by inet_ntop, and outbuf comes is the user\password provided by the user.
username and domain sound like user-controllable values, so at this point i told my wife (clipsley) to buy a nice bottle of champissgne to celebrate my new 0w0day.
knowing that this function would likely be called by php, i used a 1337 reverse engineering tool (grep -r) to find that this function is called in /var/appweb/cp/php/browser_challenge.php, and is used by the captive portal. we also seem to have full control over all of the parameters, including vsysstr. the $http_authorization variable holds the value of the http authorization header, which (for ntlm) contains the base64 encoded ntlm messages.
$ret = handleNTLMMsg($_SERVER['HTTP_USER_AGENT'],
$remote_host,
$http_authorization,
$_SERVER['SERVER_PROTOCOL'],
$_REQUEST['vsys'],
$_REQUEST['url'],
new php_string_argout());
$remote_host,
$http_authorization,
$_SERVER['SERVER_PROTOCOL'],
$_REQUEST['vsys'],
$_REQUEST['url'],
new php_string_argout());
long story short, if you do ntlm authentication with a malicious username/domain name/vsys parameter, you'll trigger a format string bug when ntlm authentication fails after the type 3 message.
oh yeah btw this doesnt work on new devices. anything after around pan-os 9.0 has FORTIFY_SOURCE enabled, so pan_slog uses __vasprintf_chk instead of vasprintf, which makes exploiting this bug impossible on newer devices. oops. probably should have mentioned that up front. oh well xD just because 8.1 is eol doesn't mean it's not still around
Report Topic
Permalink
