"Portal"-commands can be sent through this channel even if the client is limited by policy to add new portals. The tool is injected into the PANGPA executable (userland/GUI binary) to be able to use the existing PANGPS service communication channel. Using this information, a tool was developed that implements the custom protocol used in this communication as well as the encryption/decryption mechanisms used by GlobalProtect. Details of the communication between PANGPS and PANGPA have previously been publicly disclosed ( ). The most straightforward way of exploiting the vulnerability is to send the “portal” command to the PANGPS service to create a new portal configuration.
![globalprotect vpn client globalprotect vpn client](https://propertylasopa616.weebly.com/uploads/1/2/9/3/129399209/932250214.jpg)
The Global Protect client contains both a privileged system service (PANGPS) and a non-privileged user interface component (PANGPA). The vulnerability exists in one of the functions of the privileged component (PANGPS) that is reachable from the non-privileged component (PANGPA). Low privileged users could escalate privileges in the system. Linux clients (5.3.0 and earlier) are also affected according to Palo Alto Networks. The vulnerability exists in the service PANGPS that runs as SYSTEM.
![globalprotect vpn client globalprotect vpn client](https://help.relativity.com/RelativityOne/Content/Resources/Images/Features/VPN/SCR_VPN_Permissions2.png)
![globalprotect vpn client globalprotect vpn client](https://www.umass.edu/it/sites/default/files/2019/01/10/Screen%20Shot%202018-11-21%20at%2012.08.36%20PM.png)
GlobalProtect is a widely used VPN client developed by Palo Alto Networks. F-Secure discovered a buffer overflow in GlobalProtect VPN client for Windows, versions 5.2.6, 5.2.7 and possibly earlier versions.