BugTraq
Plunging Through the Palo Alto Networks Firewall Jan 04 2011 10:10PM
Jeromie comsecinc com
Class: Bypassing Intended Security Controls

CVE: <NA>

Remote: Yes

Local: Yes

Published: August 11, 2010

Timeline: Submission to MITRE: August 11, 2010

Credit: Jeromie Jackson CISSP, CISM

COBIT & ITIL Certified

President- San Diego Open Web Application Security Project (OWASP)

Vice President- San Diego Information Audit & Control Association (ISACA)

SANS Mentor

LinkedIn: www.linkedin.com/in/securityassessment

Blog: www.JeromieJackson.com

Twitter: www.twitter.com/Security_Sifu

Cell: 832-378-RISK (7475)

Validated Vulnerable:

All versions prior to 12/07/2010

Discussion:

Palo Alto Networks firewall claims it can ?identify and control applications regardless of port, protocol, encryption, or evasive tactic.? Due to the need for organizations to support protocols and applications not yet categorized by Palo Alto there is an underlying logic issue. Unless a company is willing to disable all services except for those well-known by the Palo Alto firewall risk will be constantly present. I spent a couple hours testing the Palo Alto Network firewall to see if I could puncture the firewall and achieve remote command-and-control.

The Palo Alto Networks firewall uses ?Application Visibility? and ?Application Control? functions in order to identify services and apply controls across the firewall segments. An attacker can leverage a phishing scam or a vulnerabile online forum to distribute a remote command-and-control payload to a machine behind the firewall. The attacked machine will then initiate an outbound command-and-control connection. Palo Alto Networks Firewall simply identifies it as ?Unknown TCP.?

Exploit:

First, I thought about using HTTP to traverse the firewall and remotely control a device behind the firewall. I successfully created a command-and-control session which the firewall identified as generic HTTP traffic. I leveraged the following script from The Hacker's Choice (THC):

http://www.packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl

Second, I generated a Metasploit reverse_tcp command-and-control payload. I uploaded the payload to a website, generated a phishing email, and had the victim machine go to a malicious URL. Command-and-Control was achieved and the firewall simply characterized it as ?Unknown TCP? traffic. Metasploit has the ability to encode the payloads in a plethora of ways- Palo Alto Networks will need to address all potential encodings in order to mitigate the risk.

I worked with the vendor for several months and they recently came out with a signature update that will identify Metasploit. Due to evasion techniques such as encoding, payload packing, and other ways to evade filters I believe the signatures may not catch all payloads generated by Metasploit. I will be doing a little more work in the near future to run a small battery of tests to evaluate the detection rates.

Below are the details pertaining to the update. I find it odd it was marked as a medium severity. Having these Metasploit remote command-and-control sessions enabled me to gain access to password hashes, install keyloggers, start remote desktop VNC sessions, hide my process, and to pivot off the attacked machine to gain further access into the environment.

Vulnerability Signatures Summary

Severity

ID

Attack Name

CVE ID

Vendor ID

Default Action

medium

33515

Metasploit Meterpreter Connection Attempt

alert

medium

33516

Metasploit Meterpreter Connection Attempt

alert

high

33616

IAX2 Asterisk Remote Denial of Service

CVE-2007-3763

alert

high

33446

Struts2 and XWork remote command execution Vulnerability

CVE-2010-1870

alert

critical

33605

Microsoft Office Memory Corruption Vulnerability

CVE-2008-0118

MS08-016

alert

high

33606

Microsoft Word Crafted SmartTag Record Code Execution Vulnerability

CVE-2008-2244

MS08-042

alert

critical

33607

Microsoft Excel Record Parsing Remote Code Execution Vulnerability

CVE-2008-3006

MS08-043

alert

critical

33608

Microsoft PowerPoint Picture Index Variant Remote Code Execution Vulnerability

CVE-2008-0121

MS08-051

alert

critical

33609

Microsoft PowerPoint List Value Parsing Remote Code Execution Vulnerability

CVE-2008-1455

MS08-051

alert

medium

33621

Oracle Web Cache Admin Module Denial of Service Vulnerability

CVE-2002-0386

alert

high

33627

Adobe Flash Player loadBitmap Memory Corruption Vulnerability

cve-2010-3648

APSB10-26

alert

Solution:

A patch will be required from the vendor. In order for the vendor to meet its claims of ?identifying and controlling applications regardless of port, protocol, encryption, or evasion techniques,? it will be required to gather signatures from at minimum the most prevalent command-and-control tools available in the wild and create identification techniques to mitigate the risk. Users could block all non-identified application traffic passing through the firewall to mitigate the risk, however this is generally not a viable option. While their technology is proving to be a strong firewall in the market the marketing statements are a bit lofty.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus