Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SSLVPN is essential protection for defenders. As a result, threat actors are constantly looking for bugs in it. This article describes and explains a vulnerability being used in an active campaign. They do this by doing some diffing on the changes.

The first interesting diff they did was on the Nginx route configuration for /etc/nginx/conf/locations.conf. The changes were setting a bunch of proxy_headers to the empty string and one of them to 'on'. Most notably, the X-pan-AuthCheck header was now being set to on.

The X-pan-AuthCheck header is used as part of an authentication check in uiEnvSetup.php. Authentication is entirely bypassed by providing this header and setting it to off. Hype!

Once logged in an application like this, RCE is practically a feature. AuditLog.php has a fairly obvious command injection. However, they were not only sure where the actual input came from but just knew it had to do with user impersonation. After trying a bunch of endpoints, they eventually found one that triggered the command injection from the username parameter on the call.

I personally liked the patch-diffing part of this article. As a defender of other companies, like this one, understanding what the vulnerability is and what you're up against is a requirement. So, I imagine so do a good amount of reverse engineering for these types of patches. Good work and knowledge sharing!