Authentication Bypass in Palo Alto PAN-OS GlobalProtect Portal and Gateway

Small repository containing a single Python proof-of-concept exploit (poc.py), a minimal README, and a license. The script is a standalone network exploit for CVE-2026-0257 targeting Palo Alto Networks GlobalProtect. Its structure shows custom low-level TLS and ASN.1 parsing helpers rather than use of high-level libraries: it builds a ClientHello manually, connects to the target over TLS, parses certificate records from the handshake, extracts an RSA public key from the presented certificate, and uses that key material to forge a GlobalProtect portal-userauthcookie for a chosen username. It then submits the forged cookie to both gateway and portal validation paths and checks returned content for success indicators. The exploit is more than a detector because it generates and prints a reusable forged auth token and actively attempts authentication bypass. Based on the visible code, there are no hardcoded external C2 endpoints or third-party callback URLs; targeting is operator-supplied at runtime. The repository is therefore a focused operational PoC for unauthorized access/authentication bypass against vulnerable GlobalProtect deployments.

Repository contains a single Python exploit script and a detailed README. The main file, CVE-2026-0257.py, is a standalone Palo Alto GlobalProtect authentication bypass exploit/scanner for CVE-2026-0257. It is not part of a common exploitation framework. The script supports scanning one target, multiple targets, or targets from a file, and uses threading for concurrent scans. Core capability: the exploit performs unauthenticated user impersonation by forging a GlobalProtect pre-authentication cookie using only the target server's publicly exposed TLS certificate. The code first opens a raw TCP connection to the target on port 443, sends a handcrafted TLS ClientHello, receives the server handshake, extracts DER-encoded certificates, walks ASN.1 structures to locate SubjectPublicKeyInfo, and recovers the RSA modulus/exponent. It then builds a cookie plaintext for an attacker-chosen username, applies PKCS#1 v1.5 style padding, encrypts with the extracted RSA public key, encodes the result, and submits it to the GlobalProtect login endpoint /ssl-vpn/login.esp. Success is determined from HTTP 200 responses and XML/status parsing, with testing performed in both gateway and portal contexts. Repository structure is minimal: one operational Python PoC plus documentation. The README explains the vulnerability mechanics, TLS handshake parsing, ASN.1 extraction, RSA cookie forgery, and expected impact (unauthenticated VPN access / arbitrary user impersonation). This is an exploit rather than a pure detector because it actively forges authentication material and attempts login bypass. Maturity is OPERATIONAL: the payload is built and used automatically, but it is a standalone PoC rather than a reusable framework module.

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-0257 affecting Palo Alto Networks GlobalProtect on PAN-OS and Prisma Access. The repo contains three files: a README with vulnerability background and usage guidance, a requirements file, and a single executable script `exploit_poc.py` that implements the exploit logic. The exploit is clearly offensive rather than merely diagnostic. Its core capability is remote unauthenticated authentication bypass via forged GlobalProtect authentication override cookies. The script first connects to the target HTTPS service and extracts the full TLS certificate chain. It supports both modern Python behavior (`get_unverified_chain`) and an older fallback that manually captures and parses raw TLS 1.2 handshake records using `ssl.MemoryBIO` to recover the server certificates. It then iterates over each certificate/public key in the chain and attempts to construct an encrypted authentication override cookie for an attacker-supplied username and related client metadata. After generating candidate cookies, the script tests them against GlobalProtect web endpoints. The README explicitly identifies `/ssl-vpn/login.esp` for gateway validation, and the visible code shows separate handling for gateway and portal contexts. Success conditions are based on response content: for gateway mode, acceptance is inferred from a successful login-style response; for portal mode, acceptance is inferred from XML/JNLP-like `<argument>` elements containing the forged username and additional session/configuration data. When successful, the script prints the forged cookie and may also display extracted auth token, username, and gateway values. Operationally, the exploit supports single-target and multi-target scanning via `--target` or `--target-file`, custom port selection, arbitrary username selection, and customization of cookie fields such as domain, host ID, client OS, and client IP. This makes it more than a minimal PoC, but it is still a standalone script with a fixed exploit path rather than a fully modular framework payload, so OPERATIONAL is the best maturity fit. The exploit requires a specific vulnerable configuration: GlobalProtect authentication override must be enabled, and the certificate used for cookie encryption/decryption must be reused by the HTTPS service or otherwise share the same public key. If that condition is not met, the script reports that no key in the chain produced a valid cookie. Notable implementation details from the visible code include direct socket/TLS handling, certificate parsing with `cryptography.x509`, likely RSA public-key encryption for the forged cookie, HTTP requests via `urllib`, regex parsing of portal responses, and console output helpers from the `frint` package. No destructive behavior, persistence, or post-exploitation payloads are present; the main outcome is unauthorized authenticated access through a forged bearer-like cookie.

This repository is a small standalone proof-of-concept exploit for CVE-2026-0257 affecting Palo Alto Networks PAN-OS GlobalProtect. It contains one Python exploit script, forge_cookie.py, and a README describing usage and expected behavior. The exploit’s core capability is authentication bypass via forged GlobalProtect auth override cookies. The script connects directly to the target’s HTTPS service, forces a TLS 1.2 handshake, captures raw handshake records, parses the Certificate message, and extracts every certificate in the presented chain. It then derives public keys from those certificates and iteratively uses each key to construct candidate authentication override cookies for a chosen identity (default user: admin, with optional domain, host ID, client OS, and client IP fields). After generating each candidate cookie, the script sends requests to GlobalProtect portal and/or gateway web endpoints over HTTPS to determine whether the forged cookie is accepted. Success is inferred from returned XML/JNLP content, such as <status>Success</status> or <argument> elements containing the requested username and connection details. When successful, the script prints the forged cookie and may also display extracted values such as auth token, username, and gateway information. Repository structure is minimal: - Readme.md: vulnerability description, command-line usage, and sample successful exploitation output. - forge_cookie.py: full exploit implementation, including TLS certificate-chain extraction, certificate parsing, public-key handling, cookie forging, HTTP(S) request logic, response parsing, and CLI argument handling. This is not merely a detector: it actively attempts exploitation by forging and replaying authentication cookies. However, it is still a PoC/operational script rather than a framework-integrated or heavily weaponized tool. The exploit is network/web-based, targets exposed GlobalProtect services over HTTPS, and is intended to validate whether a target accepts forged auth override cookies derived from public keys in its TLS certificate chain.