Pulse Secure Client < 9.1R6 TOCTOU Privilege Escalation (CVE-2020-13162)

fulldisclosure logo Full Disclosure mailing list archives

  By Date           By Thread        

Pulse Secure Client < 9.1R6 TOCTOU Privilege Escalation (CVE-2020-13162)


From: Red Timmy Security <publications () redtimmy com>
Date: Tue, 16 Jun 2020 18:01:36 +0200


Pulse Secure is recognized among the top 10 Network Access Control (NAC) vendors by global revenue market share. The componay declares that "80% of Fortune 500 trust its VPN products by protecting over 20 million users".

 

At Red Timmy Security we have discovered that Pulse Secure Client for Windows suffers of a local privilege escalation vulnerability in the “PulseSecureService.exe” service. Exploiting this issue allows an attacker to trick “PulseSecureService.exe” into running an arbitrary Microsoft Installer executable (“.msi”) with SYSTEM privileges, granting them administrative rights.

 

The vulnerability lies in the “dsInstallerService” component, which provides non-administrative users the ability to install or update new components using installers provided by Pulse Secure. While “dsInstallerService” performs a signature verification on the content of the installer, it has been found that it’s possible to bypass the check providing the service with a legit Pulse Secure installer and swapping it with a malicious one after the verification

 We have registered CVE-2020-13162 for this vulnerability. 

Full story here: https://www.redtimmy.com/privilege-escalation/pulse-secure-client-for-windows-&lt;9-1-6-toctou-privilege-escalation-(cve-2020-13162/

 Disclosure Timeline
-------------------
Vulnerability discovered: April 13th, 2020
Vendor contacted: April 15th, 2020
Vendor's reply: April 17th, 2020
Vendor patch released: May 22nd, 2020
Red Timmy Disclosure: June 16th, 2020 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date           By Thread  

Current thread:

  • Pulse Secure Client < 9.1R6 TOCTOU Privilege Escalation (CVE-2020-13162) Red Timmy Security (Jun 16)

Follow me for more information.

Uncategorized

Product categories

Post

July 2020
SMTWTFS
 1234
567891011
12131415161718
19202122232425
262728293031 
X