From adf9665bdf1434c1cdd6e307263ad5b3e4cf070c Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 29 May 2026 20:29:45 +0000 Subject: [PATCH] Add content from: Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authent... --- .../hacking-with-cookies/README.md | 34 ++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/src/pentesting-web/hacking-with-cookies/README.md b/src/pentesting-web/hacking-with-cookies/README.md index 5f383655daf..6c9c0e70bf3 100644 --- a/src/pentesting-web/hacking-with-cookies/README.md +++ b/src/pentesting-web/hacking-with-cookies/README.md @@ -449,7 +449,36 @@ public class App { } ``` -context (e.g., server-side session with random ID, or add anti-replay properties). + + +Mitigation: do not mint authentication cookies by encrypting predictable identifiers with a reusable key. Prefer server-side sessions or authenticated encryption/signatures with anti-replay properties. + +### Public-key cookie forgery when decryption is treated as authentication + +Some products misuse asymmetric crypto for bearer cookies: they **encrypt** cookie contents with a certificate-related keypair and later treat **successful private-key decryption** as proof the cookie is authentic. If the plaintext is not protected with a **signature, MAC, or AEAD tag**, anyone who knows the **public key** can forge arbitrary cookies offline. + +Typical exploitation pattern: + +- Identify which cookie or POST parameter carries the auth blob. +- Check whether the server exposes the matching public key via **TLS certificate reuse**, **JWKS**, a downloadable certificate, or any other public trust store. +- Recreate the expected plaintext structure (user, role/domain, host ID, client OS/IP, timestamp, lifetime, etc.). +- Encrypt it with each candidate **public key**, encode it as expected, and replay it. If the server only checks that decryption succeeds and the fields parse, authentication is bypassed. + +**GlobalProtect authentication override** is a practical example of this anti-pattern. When **authentication override cookies** are enabled, the portal/gateway accepts `portal-userauthcookie` or `portal-prelogonuserauthcookie` in a POST to `/ssl-vpn/login.esp`. If the certificate used for cookie encryption/decryption is also reused by the externally exposed HTTPS service, an unauthenticated attacker can retrieve the certificate chain over TLS, forge a cookie for any chosen identity, and submit it directly to the portal/gateway. + +Quick testing ideas: + +```bash +openssl s_client -connect :443 -showcerts --context both --user admin +``` + +Hunting ideas for this class of bug: + +- Token/cookie-based logins to **local or privileged accounts** without a normal credential login immediately beforehand. +- Auth logs where the method is explicitly **`Cookie`**, **token**, **remember-me**, or similar. +- Reused or clearly fake client identifiers (hostname, MAC, device ID), especially across many targets. +- Successes after several malformed/failed cookie attempts, or cookie-auth success without the usual full session creation flow. ## References @@ -462,6 +491,9 @@ public class App { - [https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/) - [Cookie Chaos: How to bypass __Host and __Secure cookie prefixes](https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure-cookie-prefixes) - [Burp Custom Action – CookiePrefixBypass.bambda](https://github.com/PortSwigger/bambdas/blob/main/CustomAction/CookiePrefixBypass.bambda) +- [Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)](https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257) +- [Palo Alto Networks advisory: CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities](https://security.paloaltonetworks.com/CVE-2026-0257) +- [Rapid7 PoC for CVE-2026-0257](https://github.com/sfewer-r7/CVE-2026-0257) {{#include ../../banners/hacktricks-training.md}}