[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANoQWWehB7AK-E6wqEh1zS7G-RtpFTwaJvJp6D1-091HsBzmfA@mail.gmail.com>
Date: Tue, 18 Dec 2018 07:18:44 +0100
From: Rafael Pedrero <rafael.pedrero@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2018-20193 - Privilege escalation in Juniper Secure Access
SSL VPN - SA-4000, 5.1R5 (build 9627) 4.2 Release (build 7631)
In 2006...
<!--
# Exploit Title: Privilege escalation in Juniper Secure Access SSL VPN -
SA-4000, 5.1R5 (build 9627) 4.2 Release (build 7631)
# Date: 18-12-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://www.juniper.net/
# Software Link: http://www.juniper.net/
# Version: Juniper Secure Access SSL VPN SA-4000 5.1R5 (build 9627) 4.2
Release (build 7631)
# Tested on: all
# CVE : CVE-2018-20193
# Category: webapps
1. Description
Certain Secure Access SA Series SSL VPN products (originally developed by
Juniper Networks but now sold and supported by Pulse Secure, LLC) allow
privilege escalation, as demonstrated by Secure Access SSL VPN SA-4000
5.1R5 (build 9627) 4.2 Release (build 7631). This occurs because
appropriate controls are not performed.
2. Proof of Concept
It is possible to change the administrator user password from readonly user
because the appropriate controls are not performed. Save the page
/dana-admin/user/update.cgi in local, change the "user" value and save
changes.
3. Solution:
This version is deprecated. Update to last version this product.
-->
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists