Browse Source

Writeup draft

Giulio 10 months ago
commit
8ba4c651fb
2 changed files with 154 additions and 0 deletions
  1. 154 0
      Readme.md
  2. BIN
      tncc.jar

+ 154 - 0
Readme.md

@@ -0,0 +1,154 @@
+# Juniper Host Checker Linux MITM RCE
+## Intro
+The Host Checker is a client side component that some Pulse Secure appliances may require in order to connect to the VPN. The Host Checker requests a policy from the server and perform basic checks on the client accordingly. Checks may include MAC Addresses, running process (ie: checking for an antivirus) and some others. While on Windows the plugin is an ActiveX component, in Linux, Solaris and OSX it is a Java Applet.
+Of course client checks can always be bypassed, and an open source (yet not well documented) implementation [do exist](https://raw.githubusercontent.com/russdill/juniper-vpn-py/master/tncc.py).
+## Sumamry
+Probably in order to still works with misconfigured instances, the Host Cheker does not check neither the validity of the server certificate nor its hostname. The server can set a malicious cookie, which can be used to exploit a command injection when the user is found not compliant. Note that a malicious server can force a user to be non compliant.
+## Code
+### Certificate
+In `net.juniper.tnc.client.HttpNAR.HttpNAR`:
+```
+    private void trustAllCerts() throws Exception {
+        final TrustManager[] tm = { new X509TrustManager() {
+                @Override
+                public X509Certificate[] getAcceptedIssuers() {
+                    return null;
+                }
+                
+                @Override
+                public void checkClientTrusted(final X509Certificate[] array, final String s) {
+                }
+                
+                @Override
+                public void checkServerTrusted(final X509Certificate[] array, final String s) {
+                }
+            } };
+        final SSLContext instance = SSLContext.getInstance(NARUtil.getSSLProtocol());
+        instance.init(null, tm, new SecureRandom());
+        HttpsURLConnection.setDefaultSSLSocketFactory(instance.getSocketFactory());
+    }
+    
+    private void allowHostnameMismatch() {
+        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
+            @Override
+            public boolean verify(final String s, final SSLSession sslSession) {
+                return true;
+            }
+        });
+    }
+```
+Both function gets executed when initializing the connection to a server. From the same class as above:
+```
+    public void initialize(final String[] array) throws Exception {
+            [..parametr parsing..]
+        if (this.mHomeDir.length() == 0) {
+            this.mHomeDir = System.getProperty("user.home");
+        }
+        if (HttpNAR.gLoggingEnabled) {
+            [..omitted log instructions..]
+        }
+        if (!this.isPlatformSupported()) {
+            NARUtil.logError("HttpNAR: unsupported operating system " + NARUtil.getOSName() + "; stopping...");
+            throw new Exception("Unsupported operating system");
+        }
+        this.mAppSupportDir = this.getPlatformSupportDir(this.mHomeDir);
+        [..proxy usage..]
+        
+        (this.mTncClient = new TNCClient()).initialize(this);
+        this.loadbundledIMC();
+        this.mHandshakeRequestor.start();
+        this.trustAllCerts();
+        this.allowHostnameMismatch();
+    }
+```
+### Cookie
+In order for the Host Checker to work two cookies are needed, `DSPREAUTH` and `DSSIGNIN`.
+They can be either set by the server or from sending commands to a socket listening to all interfaces (but accepting connections only from localhost).
+From `net.juniper.tnc.client.HttpNAR.HttpConnection`:
+```
+    public int sendUpdate(final byte[] array, final ByteArrayOutputStream byteArrayOutputStream, final boolean b) throws Exception {
+        NARUtil.logInfo("TNCoHTTP: sending update = ");
+        NARUtil.logData(array);
+        final String byteArrayToBase64 = Base64.byteArrayToBase64(array);
+        final String string = "https://" + this.mIveHost + "/dana-na/hc/tnchcupdate.cgi";
+        NARUtil.logInfo("TNCoHTTP: opening connection to " + string);
+        final HttpsURLConnection httpsURLConnection = (HttpsURLConnection)new URL(string).openConnection();
+        httpsURLConnection.setDoOutput(true);
+        httpsURLConnection.setDoInput(true);
+        httpsURLConnection.setRequestProperty("Cookie", "DSPREAUTH=" + this.mPreauthCookie + ";DSSIGNIN=" + this.mSignIn);
+        if (this.mUserAgent.length() > 0) {
+            httpsURLConnection.setRequestProperty("User-Agent", this.mUserAgent);
+        }
+        NARUtil.setConnectTimeout(httpsURLConnection, 2000);
+        httpsURLConnection.connect();
+        final PrintWriter printWriter = new PrintWriter(httpsURLConnection.getOutputStream());
+        [..adding parameters..]
+        if (b) {
+            printWriter.print("firsttime=1;");
+        }
+        printWriter.close();
+        String headerFieldKey;
+        for (int n = 1; (headerFieldKey = httpsURLConnection.getHeaderFieldKey(n)) != null; ++n) {
+            final String headerField = httpsURLConnection.getHeaderField(n);
+            if (headerFieldKey.equalsIgnoreCase("Set-Cookie") && headerField.startsWith("DSPREAUTH=")) {
+                final int index = headerField.indexOf(59);
+                this.mPreauthCookie = headerField.substring(10, index);
+                this.mPreauthOpts = headerField.substring(index);
+                NARUtil.logInfo("TNCoHTTP: received response DSPREAUTH = " + this.mPreauthCookie + this.mPreauthOpts);
+            }
+        }
+```
+
+### Command injection
+In `net.juniper.tnc.client.HttpNAR.TNCHandshake`:
+```
+    public void doCustomRemediateInstructions() {
+        final StringBuffer sb = new StringBuffer();
+        sb.append("https://").append(this.mIcURL);
+        sb.append("/dana-na/auth/rdpreauth.cgi?DSPREAUTH=" + this.mCookie);
+        final String string = sb.toString();
+        NARUtil.logInfo("TncHandshake: launching browser for " + string);
+        NARUtil.execCommand((NARUtil.isMacOSX() ? "open -a Safari " : ((NARUtil.isLinux() || NARUtil.isSolaris()) ? "firefox " : "")) + string);
+        NARUtil.logInfo("TncHandshake: browser launched");
+    }
+```
+From `net.juniper.tnc.client.HttpNAR.NARUtil`:
+```
+    public static String execCommand(final String s) {
+        String execCommand = null;
+        if (NARUtil.PlatformUtil != null) {
+            execCommand = NARUtil.PlatformUtil.execCommand(s);
+        }
+        return execCommand;
+    }
+```
+From `net.juniper.tnc.client.NARPlatform.linux.LinuxNARPlatform`:
+```
+    @Override
+    public String execCommand(final String s) {
+        String output = null;
+        try {
+            final Process exec = Runtime.getRuntime().exec(s);
+            final CommandOutputThread commandOutputThread = new CommandOutputThread(exec.getInputStream());
+            final CommandOutputThread commandOutputThread2 = new CommandOutputThread(exec.getErrorStream());
+            commandOutputThread.start();
+            commandOutputThread2.start();
+            final int wait = exec.waitFor();
+            if (wait != 0) {
+                this.logError("Command " + s + " failed; return = " + wait + "; error output = " + commandOutputThread2.getOutput());
+            }
+            output = commandOutputThread.getOutput();
+        }
+        catch (Exception ex) {
+            this.logException(ex);
+        }
+        return output;
+    }
+```
+As we can see, the `NARUtil.execCommand()` function is just a wrapper around `Runtime.getRuntime().exec()`.
+## Full Chain
+An attacker who is in a position where he can perform a Man in the Middle attack may spoof the server and send a malicious cookie along with an impossible to comply policy. An example cookie could be any method of command injection on linux (ex: `; sleep 20;`, `$(sleep 20)`, `\nsleep 20`, etc.). The client will then fail to comply with the policy and execute the command with the appended value when trying to show remediation instructions.
+### DNS Rebinding (Bonus)
+The Host Checker is controlled using a command socket. By default, when the Host Checker is started, it opens a socket using `ServerSocket(0)` which will automatically choose a port to listen on all interfaces. The selected port will then be writte to `~/.pulse_secure/narport.txt`.
+The code prevents sending commands froma non local host but apart from that doesn't have any other authentication mechanism. An attacker may [brute force the port using JavaScript](https://portswigger.net/research/exposing-intranets-with-reliable-browser-based-port-scanning) or if in the same network directly ports can since it is listening on all interfaces. Once the ports is known, a DNS Rebinding attack can be done and commands can be sent to the socket. While this does not imply a command execution per se, one of the supported commands is `setcookie` which sets the cookie used for the command injection descripted in the paragraph above.
+Note: the command socket expect a command to start at the beginnig of the first line but will try to parse up to 25 invalid commands before exiting, so a GET or a POST requests should work.

BIN
tncc.jar