Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs

Conference:  BlackHat USA 2019



The presentation discusses the importance of SSL VPN security and the vulnerabilities that exist in popular SSL VPN solutions. The presenters demonstrate a preauth remote code execution vulnerability in both Pulse Secure and Palo Alto SSL VPNs and show how SSL VPNs can be weaponized to compromise client systems.
  • SSL VPNs are widely used by corporations and are considered a secure way to access private networks.
  • However, SSL VPNs are vulnerable to remote code execution attacks, as demonstrated by the presenters in both Pulse Secure and Palo Alto SSL VPNs.
  • SSL VPNs can also be weaponized to compromise client systems through the use of local script injection.
  • Recommendations for improving SSL VPN security include enabling client certificates, multi-factor authentication, and logging out after use.
  • SSL VPN vendors should also provide regular advisories to keep systems updated.
The presenters discovered a preauth remote code execution vulnerability in Palo Alto SSL VPN and reported it to the company. However, they received a reply stating that the company does not see it as a vulnerability and will not issue an official advisory. This highlights the importance of independent security research and the need for companies to take vulnerabilities seriously.


SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They're exposed to the Internet, trusted to reliably guard the only way to intranet. However, we found pre-auth RCEs on multiple leading SSL VPNs, used by nearly half of the Fortune 500 companies and many government organizations. To make things worse, a "magic" backdoor was found to allow changing any user's password with no credentials required! To show how bad things can go, we will demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients!In such complicated closed-source systems, gaining root shell from outside the box certainly ain't easy. It takes advanced web and binary exploitation techniques to struggle for a way to root shell, which involves abusing defects in web architectures, hard-core Apache jemalloc exploitation and more. We will cover every detail of all the dirty tricks, crazy bug chains, and the built-in backdoor. After gaining root shell into the box, we then elaborate on post exploitation and how we hack back the clients. In addition, we will share the attack vectors against SSL VPNs to kick start researches on similar targets. On the other hand, from our previous experience, we derive general hardening actions that mitigate not only all the above attacks, but any other potential 0days.In summary, we disclose practical attacks capable of compromising millions of targets, including tech giants and many industry leaders. These techniques and methodologies are published in the hope that it can inspire more security researchers to think out-of-the-box; enterprises can apply immediate mitigation, and realize that SSL VPN is not merely Virtual Private Network, but also a "Vulnerable Point of your Network".



Post a comment