Share
## https://sploitus.com/exploit?id=PACKETSTORM:182142
SEC Consult Vulnerability Lab Security Advisory < 20241009-0 >  
=======================================================================  
title: Local Privilege Escalation via MSI installer  
product: Palo Alto Networks GlobalProtect  
vulnerable version: 5.1.x, 5.2.x, 6.0.x, 6.1.x, <6.2.5, 6.3.x  
fixed version: >=6.2.5, all other versions are not patched yet  
CVE number: CVE-2024-9473  
impact: high  
homepage: https://docs.paloaltonetworks.com/globalprotect  
found: 2023-11-16  
by: Michael Baer (Office Fürth)  
SEC Consult Vulnerability Lab   
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"GlobalProtect enables you to use Palo Alto Networks next-gen firewalls or  
Prisma Access to secure your mobile workforce."  
  
Source: https://docs.paloaltonetworks.com/globalprotect  
  
  
Business recommendation:  
------------------------  
The vendor provides a patched version v6.2.5 which should be installed immediately.  
Further affected branches will be patched by the vendor in the future, except  
branch 5.2.x which is EOL. Users are urged to upgrade to the most recent versions.  
  
SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
The configuration of the GlobalProtect MSI installer file was found to  
produce a visible conhost.exe window running as the SYSTEM user when using   
the repair function of msiexec.exe. This allows a local, low-privileged  
attacker to use a chain of actions, to open a fully functional cmd.exe  
with the privileges of the SYSTEM user.   
  
  
Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
For the exploit to work, GlobalProtect has to be installed via the MSI file.  
Afterwards, any low-privileged user can start the repair of GlobalProtect by  
double-clicking the installer and trigger the vulnerable actions  
without a UAC popup. The installer, if deleted from it's original location,  
can be found in C:\Windows\Installer with a randomized name.  
  
During the repair process, the subprocess PanVCrediChecker.exe gets  
called with SYSTEM privileges and performs a read action on the file   
"C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll".  
  
This can be used by an attacker by simply setting an oplock on the file.  
As soon as it gets read, the process is blocked until the lock is released.  
To do that, one can use the 'SetOpLock.exe' tool from  
"https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:  
  
SetOpLock.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll" x  
See figure 1 [lock.webp]  
  
During the repair process, the locked file is accessed several times. The lock  
has to be released by pressing ENTER five times before the conhost.exe  
window opens. For the sixth request, the lock should not be released to keep the  
window open. The conhost window that gets opened when PanVcrediChecker.exe is  
executed doesn't close and can then be interacted with.  
  
The attacker can then perform the following actions to   
spawn a SYSTEM shell:  
- Right click on the top bar of the window  
- Click on properties [ see figure 2 openbrowser.webp]  
- Under options, click on the "new console features" link [see figure 2  
openbrowser.webp]  
- Open the link with e.g. firefox or chrome [see figure 2 openbrowser.webp]  
- In the opened browser window press the key combination CTRL+o  
- Type cmd.exe in the top bar and press Enter [see figure 3 cmd.webp]  
  
Note that this does not work using a recent version of the Edge Browser.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the only versions  
available to SEC Consult at the time of the test. SEC Consult was not  
entirely sure, which exact version the product was:  
- ProductVersion as stated by the PropertyTable: 5.2.10  
- Version as stated by Windows after installing: 5.1.5  
- 6.1.2 is affected as well  
  
  
The vendor confirmed that versions <6.2.5 are affected. Furthermore,  
all other branches 5.1.x, 5.2.x, 6.0.x, 6.1.x and 6.3.x are affected  
as well. Branch 5.2.x is end of life according to the vendor and will  
not be patched.  
  
  
Vendor contact timeline:  
------------------------  
2023-11-17: Contacting vendor through PSIRT@PaloAltoNetworks.com  
asking for most recent software version  
2023-11-21: Vendor confirms receipt of contact  
2023-11-23: Vendor denies providing most recent version and asks for  
full technical report via their online form:  
https://security.paloaltonetworks.com/report  
Note: Submitting the advisory draft via online form  
repeatedly results in server errors  
2023-11-23: Sending the advisory via PSIRT@PaloAltoNetworks.com  
2024-01-11: Contacting vendor through PSIRT@PaloAltoNetworks.com  
asking for confirmation of receiving the advisory and  
status of their triage.  
2024-01-12: Vendor confirms receiving the advisory.  
The issue is tracked internally.  
2024-03-06: Contacting vendor through PSIRT@PaloAltoNetworks.com   
asking for update of the vulnerability.  
2024-04-02: The vendor notifies that the product team is working  
on the report.  
2024-04-08: Asking vendor to notify about updates and the timeline  
of a fix.  
2024-04-24: Vendor was able to reproduce the issue, but not in the  
most recent versions. 5.1.5 is affected, but not 5.2.10  
nor 5.1.12, nor 6.2.2.  
2024-05-23: Asking vendor about affected/fixed versions and regarding  
CVE number.  
2024-05-30: Vendor apologizes for version confusion, following up with team  
internally. Vendor plans to publish an advisory with CVE, but  
no date yet, asks us to wait/coordinate our advisory with theirs.  
2024-06-03: Answering that we will wait for their release & advisory.  
2024-06-17: Asking for a status update regarding the version numbers &  
advisory release.  
Vendor: no ETA/timeline yet, no version information.  
2024-09-25: Asking for a status update regarding the vendor advisory and for  
confirmation of the available fixes.  
2024-09-27: Vendor investigated further and previous versions are unfortunately  
affected as well. Product team works on a fix, advisory & CVE  
release scheduled for 9th October 9 AM PT.  
2024-09-27: Acknowledging the coordinated advisory release for 9th October.  
2024-10-03: Vendor communicates further information regarding affected versions  
and their advisory draft.  
2024-10-07: Vendor confirms 5.2.x as affected as well, but is EOL without fix.  
2024-10-09: Coordinated release of security advisory.  
  
  
Solution:  
---------  
The vendor provides an updated version v6.2.5 which fixes the issues for this  
specific branch. Other versions are not yet patched and will be fixed in future  
releases.  
  
Further information can be found at the vendor's website.  
https://security.paloaltonetworks.com  
  
Users are urged to upgrade to the latest version and remove old versions  
of the MSI installer, especially users of v5.2.x as this branch is EOL and won't  
receive an update.  
  
  
SEC Consult has also released a blog post on 12th September 2024 regarding MSI  
installer security issues tracked as CVE-2024-38014 and a general fix by  
Microsoft. We have contacted Microsoft to have a more general solution for  
every affected vendor. For further details check out the blog post:  
https://r.sec-consult.com/msi  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab   
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Michael Baer, Johannes Greil / 2024