Local Privilege Escalation in Palo Alto's GlobalProtect
During my research on VPN solutions, I uncovered an anomaly in the behavior of one solution in particular, which is Palo Alto Networks’ GlobalProtect VPN client. This led me down a rabbit hole of extensive analysis and research, which got me to discover a high-severity local privilege escalation vulnerability (CVE-2023-0009).
This vulnerability enabled users to elevate their privileges to SYSTEM using token impersonation by abusing named pipes. Furthermore, it allowed for the capture of a domain-joined machine’s NTLMv1/NTLMv2 hash over the network, which can be then abused for relay attacks such as the infamous Shadow Credentials relay technique.