About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)- 1596

Adam KuesPosted 1 Year Ago
  • The authors of this post saw two vulnerabilities under active exploitation in Palo Alto firewalls. So, they reverse engineered the exploit to understand what was going on. The architecture is setup to have three separate components for web processing: Nginx -> Apache -> PHP.
  • First, it's a reverse proxy that sets a bunch of headers. The most important one is X-pan-AuthCheck: on, which indicates to check for authentication downstream. After this, Apache will re-normalize the request and re-process the request with a rewrite rule. Finally, if it's a PHP file, then an authentication check is done based on the header mentioned.
  • Anything you have a protocol that requires parsing complicated data, it's important to consider the differences between the tech stacks. The usage of authentication is set by Nginx and then processed by Apache. If we can trick Nginx to not set this header but have Apache still process it as a PHP request, then we can bypass authentication.
  • From reading previous research from Orange and messing around, the authors noticed some odd functionality within a RewriteRule. In Apache, the RewriteRule may perform an internal redirect. This is important because extra URL decoding may occur!
  • In Nginx, one of the paths that did NOT include the authentication header being set was /unauth. So, the goal is to get Nginx to not set the header yet have Apache use an interesting PHP route. Using the Apache trick from above, URL encoding directory traversal characters can be used to do this. For instance, /unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css will resolve to /unauth/../php/ztp_gate.php/PAN_help/x.css.gz after the multiple URL decodings. Of course, Apache will resolve the ../ now leading to /php/ztp_gate.php/PAN_help/x.css.gz.
  • Parser differential bugs strike again! Overall, a super interesting blog post against the exploitation of a real and impactful vulnerability.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed