The tool is injected into the PANGPA executable (userland/GUI binary) to be able to use the existing PANGPS service communication channel.
Using this information, a tool was developed that implements the custom protocol used in this communication as well as the encryption/decryption mechanisms used by GlobalProtect. Details of the communication between PANGPS and PANGPA have previously been publicly disclosed ( ). The most straightforward way of exploiting the vulnerability is to send the “portal” command to the PANGPS service to create a new portal configuration.
The Global Protect client contains both a privileged system service (PANGPS) and a non-privileged user interface component (PANGPA). The vulnerability exists in one of the functions of the privileged component (PANGPS) that is reachable from the non-privileged component (PANGPA). Low privileged users could escalate privileges in the system. Linux clients (5.3.0 and earlier) are also affected according to Palo Alto Networks. The vulnerability exists in the service PANGPS that runs as SYSTEM. GlobalProtect is a widely used VPN client developed by Palo Alto Networks. F-Secure discovered a buffer overflow in GlobalProtect VPN client for Windows, versions 5.2.6, 5.2.7 and possibly earlier versions.
0 kommentar(er)
