[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Plunging Through the Palo Alto Networks Firewall

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Plunging Through the Palo Alto Networks Firewall
From: Jeromie@xxxxxxxxxxxxx
Date: 4 Jan 2011 22:10:43 -0000

Class:          Bypassing Intended Security Controls
CVE:            <NA>
Remote:         Yes 
Local:  Yes 
Published:      August 11, 2010
Timeline:       Submission to MITRE: August 11, 2010
Credit:         Jeromie Jackson CISSP, CISM
                COBIT & ITIL Certified
                President- San Diego Open Web Application Security Project 
(OWASP)
                Vice President- San Diego Information Audit & Control 
Association (ISACA)
                SANS Mentor
                LinkedIn: www.linkedin.com/in/securityassessment
                Blog: www.JeromieJackson.com
                Twitter: www.twitter.com/Security_Sifu
                Cell: 832-378-RISK (7475)

Validated Vulnerable:   
                All versions prior to 12/07/2010

Discussion: 
Palo Alto Networks firewall claims it can ?identify and control applications 
regardless of port, protocol, encryption, or evasive tactic.?  Due to the need 
for organizations to support protocols and applications not yet categorized by 
Palo Alto there is an underlying logic issue.  Unless a company is willing to 
disable all services except for those well-known by the Palo Alto firewall risk 
will be constantly present.  I spent a couple hours testing the Palo Alto 
Network firewall to see if I could puncture the firewall and achieve remote 
command-and-control.  

The Palo Alto Networks firewall uses ?Application Visibility? and ?Application 
Control?  functions in order to identify services and apply controls across the 
firewall segments.  An attacker can leverage a phishing scam or a vulnerabile 
online forum to distribute a remote command-and-control payload to a machine 
behind the firewall.  The attacked machine will then initiate an outbound 
command-and-control connection.  Palo Alto Networks Firewall simply identifies 
it as ?Unknown TCP.?  


Exploit: 

First, I thought about using HTTP to traverse the firewall and remotely control 
a device behind the firewall.  I successfully created a command-and-control 
session which the firewall identified as generic HTTP traffic.  I leveraged the 
following script from The Hacker's Choice (THC):

http://www.packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl


Second, I generated a Metasploit reverse_tcp command-and-control payload.  I 
uploaded the payload to a website, generated a phishing email, and had the 
victim machine go to a malicious URL.  Command-and-Control was achieved and the 
firewall simply characterized it as ?Unknown TCP?  traffic.  Metasploit has the 
ability to encode the payloads in a plethora of ways- Palo Alto Networks will 
need to address all potential encodings in order to mitigate the risk.


I worked with the vendor for several months and they recently came out with a 
signature update that will identify Metasploit.  Due to evasion techniques such 
as encoding, payload packing, and other ways to evade filters I believe the 
signatures may not catch all payloads generated by Metasploit.  I will be doing 
a little more work in the near future to run a small battery of tests to 
evaluate the detection rates.  

Below are the details pertaining to the update.  I find it odd it was marked as 
a medium severity.  Having these Metasploit remote command-and-control sessions 
enabled me to gain access to password hashes, install keyloggers, start remote 
desktop VNC sessions, hide my process, and to pivot off the attacked machine to 
gain further access into the environment.

Vulnerability Signatures Summary
Severity
ID
Attack Name
CVE ID
Vendor ID
Default Action
medium
33515
Metasploit Meterpreter Connection Attempt


alert
medium
33516
Metasploit Meterpreter Connection Attempt


alert
high
33616
IAX2 Asterisk Remote Denial of Service
CVE-2007-3763

alert
high
33446
Struts2 and XWork remote command execution Vulnerability
CVE-2010-1870

alert
critical
33605
Microsoft Office Memory Corruption Vulnerability
CVE-2008-0118
MS08-016
alert
high
33606
Microsoft Word Crafted SmartTag Record Code Execution Vulnerability
CVE-2008-2244
MS08-042
alert
critical
33607
Microsoft Excel Record Parsing Remote Code Execution Vulnerability
CVE-2008-3006
MS08-043
alert
critical
33608
Microsoft PowerPoint Picture Index Variant Remote Code Execution Vulnerability
CVE-2008-0121
MS08-051
alert
critical
33609
Microsoft PowerPoint List Value Parsing Remote Code Execution Vulnerability
CVE-2008-1455
MS08-051
alert
medium
33621
Oracle Web Cache Admin Module Denial of Service Vulnerability
CVE-2002-0386

alert
high
33627
Adobe Flash Player loadBitmap Memory Corruption Vulnerability
cve-2010-3648
APSB10-26
alert

Solution: 
A patch will be required from the vendor.  In order for the vendor to meet its 
claims of ?identifying and controlling applications regardless of port, 
protocol, encryption, or evasion techniques,? it will be required to gather 
signatures from at minimum the most prevalent command-and-control tools 
available in the wild and create identification techniques to mitigate the 
risk.  Users could block all non-identified application traffic passing through 
the firewall to mitigate the risk, however this is generally not a viable 
option.  While their technology is proving to be a strong firewall in the 
market the marketing statements are a bit lofty.

Prev by Date: [DCA-00017] LinkSys BEFSR41 Multiple Stored Xss
Next by Date: VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap
Previous by thread: [DCA-00017] LinkSys BEFSR41 Multiple Stored Xss
Next by thread: VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap
Index(es):
- Date
- Thread