当前位置:首页 > 报告详情

扭转局面反制 GlobalProtect:Palo Alto 远程访问解决方案的正确使用与滥用.pdf

上传人: 竿*** 编号:981927 2025-11-29 73页 4.45MB

1、#BHUSA BlackHatEventsTurning the Tables on GlobalProtectTurning the Tables on GlobalProtectUse and Abuse of Palo Altos Remote Access SolutionSpeaker:Alex BourlaContributor:Graham Brereton#BHUSA BlackHatEvents2$whoamiSpeaker-Alex Bourla These days:Independent Security Engineer and Researcher Previous

2、ly:Penetration Tester and Red Teamer Still cant resist poking at products when something doesnt smell right Ex-colleague and core contributor Played a key role in this researchContributor-Graham Brereton#BHUSA BlackHatEvents3$globalprotect-info Always-On VPN for enterprises SSL decryption&inspection

3、 Identity-based access control Device trust enforcement Advanced Threat&DLP#BHUSA BlackHatEvents4Where it all begun#BHUSA BlackHatEvents5The docs that caught my eyehttps:/ BlackHatEvents6Q:How would you design this feature securely?For example,add* to exclude all Target traffic from the VPN tunnel.H

4、intAdapted from original by Wikipedia contributors,licensed under CC BY-SA 4.0#BHUSA BlackHatEvents7What could go wrong with this design?Wildcard Split Tunnel Domain Feature e.g.*.zoom.usOpen http:/foo.MacOS DNS ResolverGlobalProtect Network ExtensionMacOS IP Route Tableapi.zoom.us 123.45.67.89add r

5、oute 123.45.67.89 via physical interfaceResolve api.zoom.usWhat if the DNS server is mine?And,what if the response is a lie?dig foo.zoom.usattacker-dns-server#BHUSA BlackHatEvents8Example ExploitationExternal Attackers goal:*.zoom.us configured as a split tunnel domain to improve Zoom performanceIma

6、ge:FUnmonitored C2 channel#BHUSA BlackHatEvents9Device Protected by GlobalProtectExploitation StepsAttacker-controlled DNS Servere.g.6.6.6.61.DNS Request for whitelisted domain foo.zoom.us is sent to attacker-controlled DNS serverGlobalProtect Gateway Server$dig foo.zoom.us 6.6.6.6+short#BHUSA Black

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据《Turning the Tables on GlobalProtect: Use and Abuse of Palo Alto’s Remote Access Solution》的内容,以下是全文关键点的概括: 1. **GlobalProtect 安全漏洞**:Palo Alto Networks 的 GlobalProtect VPN 存在多个安全漏洞,包括 DNS 欺骗、IPC 断开连接伪造、配置文件修改等。 2. **DNS 欺骗**:攻击者通过控制 DNS 服务器,将用户请求重定向到恶意网站,绕过 VPN 保护。 3. **IPC 断开连接伪造**:攻击者可以伪造 IPC 命令,使 GlobalProtect VPN 断开连接,从而绕过安全策略。 4. **配置文件修改**:攻击者可以修改用户配置文件,使 GlobalProtect VPN 运行恶意代码。 5. **权限提升**:攻击者可以利用这些漏洞提升权限,甚至获得 root 权限。 6. **Palo Alto Networks 的回应**:Palo Alto Networks 已发布补丁修复部分漏洞,但一些漏洞仍未修复。 7. **设计缺陷**:文章指出,GlobalProtect 的设计存在缺陷,导致其容易受到攻击。
GlobalProtect VPN存在哪些安全风险? GlobalProtect如何被恶意利用? 如何避免“安全”工具带来的风险?
客服
商务合作
小程序
服务号
折叠