Join us at hack.lu 2025 — Info & Registration
Duration: 30 min
Type: Talk
Speakers: Maxime Escourbiac
Abstract
This session provides an in-depth analysis of multiple critical vulnerabilities discovered by Michelin CERT in the Palo Alto Networks GlobalProtect VPN client, referenced as CVE-2024-5921, CVE-2024-3390, CVE-2024-3391, CVE-2024-3392 and CVE-2025-0118.
The research highlights how attackers on the same network can exploit weaknesses in certificate verification, root CA management, embedded browser authentication, and client-server communications to achieve remote code execution and privilege escalation on Windows workstations.
Description
Elements highlighted during the session :
-
Certificate Verification Bypass: The VPN client can be tricked into bypassing certificate verification, allowing attackers to impersonate the VPN portal and deliver malicious payloads.
-
Arbitrary Root CA Insertion: Attackers can insert a malicious root CA into the system, enabling them to issue fraudulent certificates and potentially install malware.
-
Embedded Browser Exploits: The use of an embedded browser for authentication can be exploited to deliver malicious content, such as HTA files, leading to remote code execution.
-
Privilege Escalation: Abusing the Impersonation Mechanism or the Weak System Update to get system privileges.
We will go through all the steps, try to understand GlobalProtect thoroughly, and pave the way towards a full chain exploit.
