* [Blog](https://www2.paloaltonetworks.com/blog) * [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/) * [Cloud Workload Protection Platform](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/) * BSidesTLV 2022 CTF - Inte... # BSidesTLV 2022 CTF - Intergalactic Communicator [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fctf-hacking-challenge%2F) [](https://twitter.com/share?text=BSidesTLV+2022+CTF+-+Intergalactic+Communicator&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fctf-hacking-challenge%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fctf-hacking-challenge%2F&title=BSidesTLV+2022+CTF+-+Intergalactic+Communicator&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/ctf-hacking-challenge/&ts=markdown) \[\](mailto:?subject=BSidesTLV 2022 CTF - Intergalactic Communicator) Link copied By [Artur Avetisyan](https://www.paloaltonetworks.com/blog/author/artur-avetisyan/?ts=markdown "Posts by Artur Avetisyan") Aug 05, 2022 12 minutes [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown) [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown) [Binary Exploitation](https://www.paloaltonetworks.com/blog/tag/binary-exploitation/?ts=markdown) [BSidesTLV](https://www.paloaltonetworks.com/blog/tag/bsidestlv/?ts=markdown) [CTF](https://www.paloaltonetworks.com/blog/tag/ctf/?ts=markdown) [reverse engineering](https://www.paloaltonetworks.com/blog/tag/reverse-engineering/?ts=markdown) ## Throwing Down the Hacking Gauntlet at BSidesTLV As part of our initiative to give back to the community, Palo Alto Networks sponsored [BSidesTLV](https://bsidestlv.com/), and the Prisma Cloud Security Research team supported the conference in our unique way by creating a [Capture the Flag]()(CTF) challenge. Every year, BSidesTLV hosts a CTF, which is a hacking competition where participants attempt to solve as many hacking challenges as possible in a limited time. To solve our challenge, participants had to find a vulnerability in an application and exploit it while bypassing several exploitation defenses. Out of the 739 teams that participated in the CTF, only one team solved the challenge. ## BSidesTLV Started by a group of hackers, security researchers and cyber security enthusiasts eager to share their knowledge and ideas, Security BSides is a global network of non-profit security events taking place anywhere, including BSidesTLV in Tel Aviv. ## The Prisma Cloud Security Research Team Challenge We dubbed our hacking challenge, created for the CTF competition, Intergalactic Communicator. Participants had to exploit a remote application and exfiltrate the file flag.txt to solve the challenge. They were provided with the container image of the server, which serves an x86\_64 architectured ELF executable binary, and had to reverse engineer it with the intention of finding and exploiting a vulnerability while overcoming exploitation mitigations, such as [ASLR](https://en.wikipedia.org/wiki/Address_space_layout_randomization), [DEP](https://en.wikipedia.org/wiki/Executable_space_protection) and [stack canary](https://en.wikipedia.org/wiki/Buffer_overflow_protection#Canaries). The application would receive all the incoming messages, sanitize them into ASCII characters (seeing as sometimes aliens can scramble some weird words) and concatenate them into one transmission to then broadcast intergalactically. ## The Protocol The binary expects to receive packets over a proprietary protocol with two sections -- header and data. ### The Header \[START\_CODE\] 0x00 - 0x04: length 0x04 - 0x0c: checksum 0x0c - 0x10: opcode \[END\_CODE\] **Length** - The first 4 bytes of the header represents the length of the packet without the length value in big endian. **Checksum** - The next 8 bytes of the header is a [CRC-64](https://en.wikipedia.org/wiki/Cyclic_redundancy_check) hash of the packet (without the length and checksum values). **Opcode** - The next 8 bytes of the header is the opcode value, which is used to indicate which operation should be performed. ### The Data The data is encrypted using [RC4](https://en.wikipedia.org/wiki/RC4) with a unique key for each packet, and since RC4 is a symmetric encryption, the key can be used to encrypt and decrypt the data. The key is calculated by taking the phrase "NotFlag!JustKey!" and [XORing](https://en.wikipedia.org/wiki/Bitwise_operation#XOR) each half of the key with the checksum in the header section. When the application receives a packet, it decrypts the data and validates its integrity by verifying the checksum is correct. It does so by calculating the checksum of the packet and comparing it with the checksum in the header. ### The Opcode The opcode parameter instructs the application what functionality to initiate: **Case 0x1** - Return the number of messages created in a [dynamic array](https://en.wikipedia.org/wiki/Dynamic_array). **Case 0x2** - Fetch the requested message and concatenate the message to "Message from earth: %s". **Case 0x3** - Sanitize the data in the request and append it to the end of the messages array. **Case 0x4** - Clear all of the messages created in the vector. **Case 0x5** - Concatenate all the messages created by the client to a prefix message "Broadcasting to planets...\\n" and copy them to the output buffer, which will transmit the messages. In any other case, the server will simply return the "Welcome to the Intergalactic Communicator\\n" message. ### The Vulnerabilities #### Stack Overflow We embedded an intentional stack overflow condition in the last opcode case 0x5 where the server will concatenate all the messages in the array and copy them to the output buffer without validating the buffer's size and the concatenated message's size. #### Format String Specifier Looking back at the opcode case 0x2 that will read a message using an index supplied in the data, the posted message will be concatenated with a prefix of "Message from earth: %s" and written to the output buffer using two [vsnprintf](https://cplusplus.com/reference/cstdio/vsnprintf/) function calls. The first function call: vsnprintf(temp\_buffer, 2048, "Message from earth: %s", message) The message will be set as the va\_args, while the prefix string will be set as the format string. In this case, there is no issue to exploit. The second function call: vsnprintf(output\_buffer, 2048, temp\_buffer) In this case the temporary buffer from the previous call is introduced as a format string argument, which introduces a format string specifier vulnerability. The format string specifier vulnerability allows leaking data from the stack as the unsanitized message is being treated as a format string argument. For example, [%p](https://en.wikipedia.org/wiki/Printf_format_string#Type_field) could be used to leak 8 bytes from the stack giving us our desired read primitive. ### Exploitation Mitigations While it is possible to crash the application with the stack overflow vulnerability, there are some constraints and mitigations to overcome before achieving control over the execution flow. #### Stack Canary Stack canary is used to detect a stack buffer overflow by placing a value in the memory before the return address in the stack. During exploitation, as buffer overflows overwrite the stack, they will also overwrite the canary, which will be checked later to verify if a buffer overflow has occurred. The stack canary is randomly generated every time the application is started. #### Bypass the Stack Canary To bypass the stack canary, a memory leak or a read primitive should be found to leak the stack canary and write it in its place. The usage of format string specifiers in the opcode case 0x2 can be used to develop a way to leak data from the application's memory. Seeing as vsnprintf will only write 2048 bytes to the buffer and the stack canary is located much farther away, we can use the [$](https://en.wikipedia.org/wiki/Printf_format_string#Parameter_field) character to specify which argument position to leak from the stack -- in our case canary:%485$p will leak the stack canary successfully. Usually, Format String Specifier vulnerabilities can be used to develop a write primitive using the %n format string, but in this case, the binary was patched to prevent this. #### Character Sanitization The next restriction is character sanitization. In the case of opcode 0x3, when data is received prior to being pushed into the messages array, the server will loop the data through a sanitization process to convert non ASCII characters. As previously mentioned, we can only use ASCII characters. We should also note that any byte bigger than 0x7f is converted with a bitwise AND operator instead of being stripped or replaced with fixed characters. This can prove helpful to send null bytes, which are usually bad characters when dealing with strings. The character sanitation restriction is an issue because the stack canary is randomly generated when an application is started and they remain unchanged until the application finishes its execution. The stack canary in our case is 7 random bytes followed by a null byte. This means that in many cases an attacker could not be able to override the canary with the right characters as he is restricted. #### Bypass the Character Sanitization Luckily this application is being served with [socat](https://linux.die.net/man/1/socat). Every new connection starts the application again and serves it until timeout or until the process is killed, which means the stack canary is randomly generated again. At least once in 4000 requests, a fitting stack canary with ASCII characters and a null byte will be generated. Seeing as the stack canary is randomly generated, this happens quite often and is around the 100-200 requests area. The last issue is the fact that the least significant byte of the stack canary is a null byte (0x00), which might cause issues with null terminator aware functions. We can overcome this problem by abusing the character sanitization process, seeing as 0x80 will be converted to a null byte in that process and allowing us to introduce null bytes at any location without terminating any function. #### DEP The next restriction to bypass is Data Execution Prevention ([DEP](https://en.wikipedia.org/wiki/Executable_space_protection#Linux)), which enforces "read", "write" and "execute" permissions over memory regions. DEP mitigation is used to enforce "read" and "write" permissions over data regions, such as stack or heap memory regions, in an attempt to mitigate buffer overflow exploits from executing due to the lack of the "execute" permission. Seeing as this is a stack overflow, we will be overwriting a memory area that has only "read" and "write" permissions. Any assembly code written by us won't be executed due to the DEP mitigation, seeing as this area lacks the execute permission. #### Bypass DEP We can use a common technique called Return Oriented Programming (ROP) to bypass DEP. In short, we can inject a chain of pointers that will divert the execution flow to small bits of assembly opcodes (called gadgets) from the application and create a syscall that can either execute commands or set the landed memory area as executable and introduce a shellcode for example. #### ASLR This is where we encounter the last restriction -- the Address Space Layout Randomization (ASLR) mitigation. This mitigation will randomize the middle 28 bits of the application's base address. The ASLR will prevent us from using hardcoded pointers from within the application, seeing as the base address will change every time the application is started and require us to leak and determine the application's base address, then calculate each gadget's exact pointer using its offset from the base address. The ASLR restriction is also impacted by the character restriction, seeing as we need the application to have a base address that has only ASCII characters and only uses gadgets that have only ASCII characters. Luckily the base address is randomly generated with each execution of the application, as previously mentioned, so we can simply leak an address using the format string specifier vulnerability -- and if the address doesn't fit, we can crash the application and try again until both the base address and stack canary have ASCII only characters. This solar eclipse-like condition happens quite often, and after some testing, it is averaged to 1500-2000 requests required to stumble on this. #### The Exploit Our exploit will start by gathering the information required to bypass all the mitigations, starting with the format string specifier read primitive to leak a pointer from the stack using a %3$p format string. This will be needed to bypass DEP later using the mprotect syscall. The next pointer required is the binary's [base address](https://en.wikipedia.org/wiki/Base_address).There is a pointer that points to base\_address + 0x131f9c on the stack at position 225, so we can use %225$p to leak its address and subtract 0x131f9c from it to get the binary's base address. The last thing needed is the stack canary value, which is located at position 485, and we can leak it with a %485$p format string. To recap -- the message used to leak this information looks like this: shellcode:%3$p:base:%225$p:canary:%485$p: We will loop the information leak constantly until we find a stack canary that contains only ASCII characters. Once this requirement is met, we can exploit the buffer overflow while overwriting the stack canary with the correct value and achieve control over the execution of the application. Now, to bypass the DEP mitigation and execute our shellcode, a ROP chain should be constructed to build a syscall for mprotect. The character sanitizer restriction might be hard to pass, though, seeing as we need to fill the RDI register with a pointer from the stack, which will always contain bad characters that the sanitizer will transform. An interesting thing is that seeing as the packet is fully decrypted before the opcode is handled means we can encounter a copy of our buffer lower on the stack. That means, if we send a packet with an opcode 0x5 (triggers the buffer overflow) along with data, we will both trigger the buffer overflow and introduce an unsanitized buffer somewhere on the stack, past the return address. If we manage to pivot the stack to this area, we can execute any gadget and any shellcode without character restriction. To pivot the stack to the unsanitized buffer, any "pop register; ret" gadget can be used 21 times and land exactly on the unsanitized buffer. Our script will leak the base address in a loop until a base address is found that will allow a fitting gadget to be used. After pivoting the stack with an ASCII "pop" gadget, we can introduce the variables required to call mprotect to the correct registers according to the calling convention. RDI should contain the start of a memory page that we would like to change its permissions. In our case, we will take the leaked stack address and point it at the beginning of the memory page using a bitwise logical AND against 0xffffffffffff000, and then fill RDI with the result. The RSI register will contain the size of the region. We would like to change its permission, and we can instruct a big value like 0x3000, which will probably cover the area that should contain our shellcode. The RDX register should contain the permission we would like to set -- in our case 0x7 should allow for read, write and execute. The last thing needed is to fill RAX with 0xa, which should represent the syscall for mprotect. To execute it, a syscall gadget is introduced, and a jmp rsp gadget is added afterward to jump to our shellcode for execution. Finally, once we overcome the DEP mitigation, any shellcode can be executed to achieve remote code execution over the server and read the flag.txt file. ![Successful RCE over the challenge server](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/08/IMG_8942-1.jpeg) Successful RCE over the challenge server ## Who Solved the Challenge? A total of 1221 users participated in the CTF across 739 competitive teams. Out of the 739 teams competing, only a single team solved the Intergalactic Communicator challenge, which was also the team that solved most challenges and won the CTF. ## See You Next Time We would like to thank everyone who participated in the CTF and particularly BSidesTLV organizers for a great conference. It was a pleasure to meet up and give back to the community. *** ** * ** *** ## Related Blogs ### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown) [#### Unit 42 Cloud Research Coming Up in Vegas: Must-see talks at Black Hat, DEF CON and Cloud Village](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-cloud-def-con-black-hat-usa-cloud-village-2/) ### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### The Power of Unity](https://www2.paloaltonetworks.com/blog/2025/12/the-power-of-unity/) ### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Securing the Future of AI](https://www2.paloaltonetworks.com/blog/2025/09/securing-the-future-of-ai/) ### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Non categorizzato](https://www.paloaltonetworks.com/blog/category/non-categorizzato/?ts=markdown) [#### See How We're Fortifying Cloud and AI at AWS re:Inforce 2025](https://www2.paloaltonetworks.com/blog/2025/06/fortifying-cloud-ai-aws-reinforce/) ### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown) [#### Kubernetes: A Practitioner's Guide to KSPM](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/) ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown) [#### Anatomy of a Kubernetes Attack: How Cortex Cloud Provides End-to-End Protection](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-attack-detection-response/) ### Subscribe to Cloud Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language