Pulse Secure Client For Windows Local Privilege Escalation

2020.06.17
Credit: Marco Ortisi
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Pulse Secure is recognized among the top 10 Network Access Control (NAC) vendors by global revenue market share. The company declares that "80% of Fortune 500 trust its VPN products by protecting over 20 million users". At Red Timmy Security we have discovered that Pulse Secure Client for Windows suffers of a local privilege escalation vulnerability in the “PulseSecureService.exe” service. Exploiting this issue allows an attacker to trick “PulseSecureService.exe” into running an arbitrary Microsoft Installer executable (“.msi”) with SYSTEM privileges, granting them administrative rights. The vulnerability lies in the “dsInstallerService” component, which provides non-administrative users the ability to install or update new components using installers provided by Pulse Secure. While “dsInstallerService” performs a signature verification on the content of the installer, it has been found that it’s possible to bypass the check providing the service with a legit Pulse Secure installer and swapping it with a malicious one after the verification We have registered CVE-2020-13162 for this vulnerability. Full story here: https://www.redtimmy.com/privilege-escalation/pulse-secure-client-for-windows-9-1-6-toctou-privilege-escalation-cve-2020-13162/ Disclosure Timeline ------------------- Vulnerability discovered: April 13th, 2020 Vendor contacted: April 15th, 2020 Vendor's reply: April 17th, 2020 Vendor patch released: May 22nd, 2020 Red Timmy Disclosure: June 16th, 2020 Bug discovered by: Giuseppe Calì Exploit by: Marco Ortisi & Giuseppe Calì


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top