Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Palo Alto SSL VPN is used to separate the corporate environment to outside attackers. It requires access to the VPN to even get on the internal network in the first place. Because the VPN itself has to be on the internet, this is an amazing attack surface which would be a high impact if something was found.

In C, format strings are used in order to dynamically add content to a string (printf, snprintf, etc.). However, what if the user can supply a format string? This is the bug! Because of an improper amount of parameters being passed to the function format string vulnerability was found.

By adding a format string (%n, %s, etc.) to a processed string, data can be read or written to at will! This bug class is almost dead (probably because compilers tell you this is a major security issue). But, if found, this vulnerability is enough for a read/write primitive by itself!

To verify this server on the backend, they initially for used a %n to crash the server. To the authors, this was not enough though. So, they sent 9999999%c in order to induce huge time delays to determine if this was a legit bug or not.

In order to exploit this bug, they use the %n specifier to overwrite the Global Offset Table (GOT) to be system. Now, we can trivially pass in a command, which will be ran in the terminal, to pop a shell. There appears to be no PIE on this binary, making this attack easy to exploit.

Palo Alto had recently found this bug and fixed it without telling anyone though... So, a CVE was never released and Palo Alto did not prompt anymore to update. Eventually, Orange Tsai and the crew found that a Uber server was vulnerable to this attack and compromised it. Posting about patched vulnerabilities is important!