扭转局面反制 GlobalProtect：Palo Alto 远程访问解决方案的正确使用与滥用.pdf

1、#BHUSA BlackHatEventsTurning the Tables on GlobalProtectTurning the Tables on GlobalProtectUse and Abuse of Palo Altos Remote Access SolutionSpeaker:Alex BourlaContributor:Graham Brereton#BHUSA BlackHatEvents2$whoamiSpeaker-Alex Bourla These days:Independent Security Engineer and Researcher Previous

2、ly:Penetration Tester and Red Teamer Still cant resist poking at products when something doesnt smell right Ex-colleague and core contributor Played a key role in this researchContributor-Graham Brereton#BHUSA BlackHatEvents3$globalprotect-info Always-On VPN for enterprises SSL decryption&inspection

3、 Identity-based access control Device trust enforcement Advanced Threat&DLP#BHUSA BlackHatEvents4Where it all begun#BHUSA BlackHatEvents5The docs that caught my eyehttps:/ BlackHatEvents6Q:How would you design this feature securely?For example,add* to exclude all Target traffic from the VPN tunnel.H

4、intAdapted from original by Wikipedia contributors,licensed under CC BY-SA 4.0#BHUSA BlackHatEvents7What could go wrong with this design?Wildcard Split Tunnel Domain Feature e.g.*.zoom.usOpen http:/foo.MacOS DNS ResolverGlobalProtect Network ExtensionMacOS IP Route Tableapi.zoom.us 123.45.67.89add r

5、oute 123.45.67.89 via physical interfaceResolve api.zoom.usWhat if the DNS server is mine?And,what if the response is a lie?dig foo.zoom.usattacker-dns-server#BHUSA BlackHatEvents8Example ExploitationExternal Attackers goal:*.zoom.us configured as a split tunnel domain to improve Zoom performanceIma

6、ge:FUnmonitored C2 channel#BHUSA BlackHatEvents9Device Protected by GlobalProtectExploitation StepsAttacker-controlled DNS Servere.g.6.6.6.61.DNS Request for whitelisted domain foo.zoom.us is sent to attacker-controlled DNS serverGlobalProtect Gateway Server$dig foo.zoom.us 6.6.6.6+short#BHUSA Black