Twitter | Search | |
Kevin Beaumont
If you ever wanted an Remote Code Execution exploit for Palo-Alto GlobalProtect (VPN solution presented to internet by design), somebody made one which spawns a webshell, used it to hack Uber.
Reply Retweet Like More
Kevin Beaumont Jul 18
Replying to @GossiTheDog
This vuln has no CVE, so it looks like Palo-Alto tried to silently fix it. It's actually a really serious bug, there's a LOT of big orgs exposed to this.
Reply Retweet Like
Mitja Kolsek Jul 18
Replying to @GossiTheDog
Any quick way to scan the internet for sites redirecting to /global-protect/login.esp?
Reply Retweet Like
Kevin Beaumont Jul 18
Replying to @GossiTheDog
GlobalProtect runs on same box as Palo-Alto firewall, so you end up owning the internet gateway + firewall rules in an end to end encrypted session. Woops. PA probably want to tell customers to upgrade.
Reply Retweet Like
Kevin Beaumont Jul 18
Replying to @mkolsek
google inurl:global-protect/login.esp
Reply Retweet Like
Mitja Kolsek Jul 18
Replying to @GossiTheDog
Yeah, both of these completely unrelated hits are a good start but I was thinking more along the lines of Shodan or similar.
Reply Retweet Like
Kevin Beaumont Jul 18
Replying to @mkolsek
Up yer Google-fu :D
Reply Retweet Like
Kevin Beaumont Jul 18
Replying to @GossiTheDog
Palo-Alto have dropped a massive bollock here, they didn't assign a CVE and didn't tell people it appears - result is thousands of major companies are still vulnerable to a format string (!) vulnerability which looks like it belongs in 1997 on their internet gateways.
Reply Retweet Like
Mitja Kolsek Jul 18
Replying to @wdormann @GossiTheDog
So it remains a Schroedinger's vuln without a CVE, and if a fixed version is provided and customers advised to update to it "for security reasons", with possibly an auto-update available, isn't that kinda okay? (Not saying this is what happened here btw.)
Reply Retweet Like
Kevin Beaumont Jul 18
Replying to @mkolsek @wdormann
Palo-Alto is manual upgrades, for what it's worth - you have to do it through the management interface.
Reply Retweet Like
Random Robbie Jul 18
Replying to @GossiTheDog
not managed to get this working yet
Reply Retweet Like
Kevin Beaumont Jul 18
Replying to @Random_Robbie
it will need tweaking, the different versions behave differently
Reply Retweet Like
Mitja Kolsek Jul 18
Replying to @GossiTheDog @wdormann
Does it obnoxiously nag the admin about the available upgrade? Because I think it should obnoxiously nag the admin about the available upgrade.
Reply Retweet Like
Kevin Beaumont Jul 18
Replying to @mkolsek @wdormann
I haven't used it for two years, but if still the same, no. It's buried in the options.
Reply Retweet Like
Mitja Kolsek Jul 18
Replying to @GossiTheDog
Now that I learned to Google, I have to add that we can't know which (if any) of these Google hits for "global-protect/login.esp" indicate vulnerable versions - I understand that both vulnerable and fixed versions redirect to the same.
Reply Retweet Like
tilden-swans Jul 18
Replying to @GossiTheDog
Here’s some creative hunting for you - http.favicon.hash:602431586
Reply Retweet Like
Kevin Beaumont Jul 18
Replying to @mkolsek
yeah, they're just GlobalProtect deployments. is probably better way to search for deployments btw.
Reply Retweet Like
Kevin Beaumont Jul 18
Replying to @midnight_comms
luls. So this finds firewall management interfaces (why the hell do so many people have that exposed?). Although /global-protect/login.esp is a good way of getting to Global Protect, if licensed.
Reply Retweet Like
Mitja Kolsek Jul 18
Do vulnerable versions happen to have a different favicon that fixed ones?
Reply Retweet Like
tilden-swans Jul 18
Replying to @GossiTheDog
Oh yeah I’m not going to give all the milk away for free
Reply Retweet Like