Mastodawn

The watchTowr folks published an in-depth article today covering the Palo Alto Networks unauthenticated RCE at: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

Even more impressive is they also disclosed a zero-day directory traversal vulnerability in the #golang gorilla/sessions package (used far and wide). The gorilla vulnerability only applies to code using the FilesystemStore, but it is still likely to impact a huge range of products and services. A pull request to fix this is open at https://github.com/gorilla/sessions/pull/274

Huge thanks to @alizthehax0r and the watchTowr team as well as @moloch of Bishop Fox for co-discovery (and providing a fix for) of the gorilla/sessions bug.

Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain

watchTowr Labs - Blog

HD Moore Apr 17, 2024

@alizthehax0r @moloch definitely more FilesystemStore callers than I expected: https://github.com/search?q=sessions.NewFilesystemStore+language%3Ago+&type=code

Build software better, together

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

GitHub

Jonathan Yu Apr 17, 2024

@hdm @alizthehax0r @moloch Wasn't that gorilla stuff unmaintained for awhile, too? So many of us rely on stuff in various states of disrepair, and we deserve all the consequences we get, since we're like raccoons rummaging through trash lol

HD Moore Apr 17, 2024

@jawnsy @alizthehax0r @moloch new maintainers as of July last year, but most of the work has focused on `mux`. Hopefully they can merge + tag a new version for `sessions` soon!

Raven667 Apr 17, 2024

@hdm @jawnsy @alizthehax0r @moloch I wasn't planning on staying up to research this but I hope there are some constraints on what is a valid session.ID that is being written as one of the other problems was encoding '`commands`' into the session cookie, it seems that session IDs are usually alphanumeric and some constraint could probably be enforced that excludes "$(`);[]&!{}" and other nonsense

Sandor Szücs Apr 17, 2024

@hdm @alizthehax0r @moloch I wonder about PaloAlto‘s security practices. I mean everyone makes mistakes but wtf unauthenticated rce, it’s not Wordpress…

Dave Pimlott Apr 17, 2024

@hdm @alizthehax0r the security bulletin at palo alto has been edited since initial release to remove the "telemetry required to be enabled to be exploitable" bit. It's been discovered you just need Global Protect...

And yes, that's me running around like my hair's on fire!

Aliz Apr 17, 2024

@quikkie @hdm I strongly suspected that the 'telemetry' requirement could be sidestepped, but I just couldn't figure out another exploitation path.

Dave Pimlott Apr 17, 2024

@alizthehax0r the watchtower post was amazing work. It showed me how far down my pants had been pulled by sloppy coding (accepting user input without sanitising!!)

Aliz Apr 18, 2024

@quikkie Thanks! Honestly we were racing to get it out first so I was worried it wasn't very clear and polished. Thanks for the feedback, it's very appreciated!

Filippo Valsorda Apr 17, 2024

@hdm @alizthehax0r @moloch Thank you for tracing this to the open source project and filing the vulndb entry.

Could you share the vulnerable binary, or run “go version -m” on it? I want to confirm govulncheck would have flagged it if the CVE was already known.

Aliz Apr 17, 2024

@filippo @hdm @moloch I can't share the binary, I'm afraid, I think I'd get in trouble. I copied the binary in question off the device and ran my Ubuntu box's 'go version -m' -- I have approximately zero golang experience so my apologies if this isn't what you need:
p2/usr/local/bin/gpsvc: go1.13.15
path gpsvc
mod gpsvc (devel)
dep github.com/go-redis/redis v6.15.2+incompatible h1:9SpNVG76gr6InJGxoZ6IuuxaCOQwDAhzyXg+Bs+0Sb4=
dep github.com/google/flatbuffers v1.11.0 h1:O7CEyB8Cb3/DmtxODGtLHcEvpr81Jm5qLg/hsHnxA2A=
dep github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
dep github.com/gorilla/mux v1.7.4 h1:VuZ8uybHlWmqV03+zRzdwKL4tUnIp1MAQtp1mIFE1bc=
dep github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
dep github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
dep github.com/kataras/jwt v0.1.8 h1:u71baOsYD22HWeSOg32tCHbczPjdCk7V4MMeJqTtmGk=
dep github.com/rs/zerolog v1.15.0 h1:uPRuwkWF4J6fGsJ2R0Gn2jB1EQiav9k3S6CSdygQJXY=
dep golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
dep golang.org/x/sys v0.0.0-20200122134326-e047566fdf82 h1:ywK/j/KkyTHcdyYSZNXGjMwgmDSfjglYZ3vStQ/gSCU=
dep paloaltonetworks.com/libs v0.0.0
=> ../libs

HD Moore Apr 17, 2024

@alizthehax0r @filippo @moloch that Go version is... pretty damning on it's own, yikes!

Filippo Valsorda Apr 17, 2024

@alizthehax0r @hdm @moloch yeah that was it! The Go module is correctly listed ✅

Xebulun EnEssEitch Apr 18, 2024

@alizthehax0r @filippo @hdm @moloch
(from a 10.2.8 vmseries via google cloud)

HD Moore Apr 17, 2024

@filippo @alizthehax0r @moloch there was no CVE for the gorilla/sessions bug, only the PAN RCE (which is mostly-tied to their telemetry log parse)

Filippo Valsorda Apr 17, 2024

@hdm @alizthehax0r @moloch yep, just wanted to make sure that had one been around / after we merge one, the detection works!

Aliz Apr 17, 2024

@filippo @hdm @moloch thanks for filing issues and chasing people / things! I'm a bit lost once I get outside my niche of RE, the golang ecosystem is alien to me.

HD Moore Apr 17, 2024

@alizthehax0r thanks for doing the hard part!

Filippo Valsorda Apr 17, 2024

@hdm @alizthehax0r @moloch A colleague pointed out that the docs of the Session.ID field where Palo Alto is putting attacker controlled data say “The ID of the session, generated by stores. It should not be used for user data.” so this might not be gorilla/session’s fault really.

HD Moore Apr 17, 2024

@filippo @alizthehax0r @moloch ah! good to hear! hopefully most applications aren't passing ~hot garbage~ user input into the Session ID, sounds like additional digging is needed to see what's vulnerable.

moloch Apr 17, 2024

@hdm @filippo @alizthehax0r I do think that is correct based on my understanding, however it seems to me to be "more correct" for the session code call filepath.Base since it's clearly intended to be joining a single path segment, and makes it harder to misuse the library.

Filippo Valsorda Apr 17, 2024

@moloch @hdm @alizthehax0r oh 100%, the robustness change is definitely good, thanks for sending it. Just important in understanding how other projects will be affected.

Filippo Valsorda Apr 17, 2024

@moloch @hdm @alizthehax0r you know, I am not too convinced this is even in gorilla/sessions.FilesystemStore?

https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ has it in a thing called SessDiskStore which calls paloaltonetworks_com_libs_common_Warn. Maybe they copy-pasted the unsafe code?

gorilla/sessions actually uses github.com/gorilla/securecookie to store the session ID in the cookie, not a plain SESSID.

Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain

watchTowr Labs - Blog

Filippo Valsorda Apr 17, 2024

@moloch @hdm @alizthehax0r

I'm growing convinced this is not a vulnerability in gorilla/sessions.FilesystemStore at all, but in a Palo Alto internal gorilla/sessions.Store implementation called SessDiskStore which works similarly but critically doesn't protect the session ID with securecookie.

https://github.com/gorilla/sessions/blob/3eed1c4ffcde6f23b6f88068c63c1ef6190df331/store.go#L191

sessions/store.go at 3eed1c4ffcde6f23b6f88068c63c1ef6190df331 · gorilla/sessions

Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends. - gorilla/sessions

GitHub

Michael Stapelberg 🐧🐹😺Apr 17, 2024

@filippo @moloch @hdm @alizthehax0r I just now came to the exact same conclusion after tracing how I’m using gorilla/sessions in scan2drive.

They must have implemented their own store, which puts user data into the field that gorilla explicitly labels as “do not put user data here”: https://pkg.go.dev/github.com/gorilla/sessions#Session

sessions package - github.com/gorilla/sessions - Go Packages

moloch Apr 17, 2024

@filippo @hdm @alizthehax0r From my, admittedly cursory look, I think at a minimum you need to pass user input to the session ID, which doesn't seem to be a common use case from looking around Github at other projects implementing the library. So notifying other projects may not be nessisary short of an abundance of caution.