However, we failed reproducing on the remote server which is the latest version of GlobalProtect. You can easily identify the GlobalPortect service via the 302 redirection to /global-protect/login.esp on web root!Ībout the vulnerability, we accidentally discovered it during our Red Team assessment services. Palo Alto calls their SSL VPN product line as GlobalProtect. In this article, we would like to talk about the vulnerability on Palo Alto SSL VPN. We will also demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients! So please look forward to it ) The story From how we jailbreak the appliance and what attack vectors we are focusing on. In our incoming presentations, we will provide more hard-core exploitations and crazy bugs chains to hack into your SSL VPN. Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs!ĭon’t worry about the spoilers, this story is not included in our BHUSA/DEFCON talks.We put this as the first one because we think this is an interesting story and is very suitable as an appetizer of our Black Hat USA and DEFCON talk: We plan to publish our results on 3 articles. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server! Due to its importance, in the past several months, we started a new research on the security of leading SSL VPN products.
Author: Orange Tsai( and Meh Chang( VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet.
0 kommentar(er)
