lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Jun 2020 18:01:36 +0200
From: Red Timmy Security <publications@...timmy.com>
To: fulldisclosure@...lists.org
Subject: [FD] Pulse Secure Client < 9.1R6 TOCTOU Privilege Escalation
 (CVE-2020-13162)

Pulse Secure is recognized among the top 10 Network Access Control (NAC) 
vendors by global revenue market share. The componay declares that "80% 
of Fortune 500 trust its VPN products by protecting over 20 million 
users".

At Red Timmy Security we have discovered that Pulse Secure Client for 
Windows suffers of a local privilege escalation vulnerability in the 
“PulseSecureService.exe” service. Exploiting this issue allows an 
attacker to trick “PulseSecureService.exe” into running an arbitrary 
Microsoft Installer executable (“.msi”) with SYSTEM privileges, granting 
them administrative rights.

The vulnerability lies in the “dsInstallerService” component, which 
provides non-administrative users the ability to install or update new 
components using installers provided by Pulse Secure. While 
“dsInstallerService” performs a signature verification on the content of 
the installer, it has been found that it’s possible to bypass the check 
providing the service with a legit Pulse Secure installer and swapping 
it with a malicious one after the verification

We have registered CVE-2020-13162 for this vulnerability.

Full story here: 
https://www.redtimmy.com/privilege-escalation/pulse-secure-client-for-windows-&lt;9-1-6-toctou-privilege-escalation-(cve-2020-13162/

Disclosure Timeline
-------------------
Vulnerability discovered: April 13th, 2020
Vendor contacted: April 15th, 2020
Vendor's reply: April 17th, 2020
Vendor patch released: May 22nd, 2020
Red Timmy Disclosure: June 16th, 2020


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists