g/pulse-host-checker-rce
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Updated writeup

Browse Source
This commit is contained in:
Giulio 2020-02-14 11:20:33 +01:00
parent 8ba4c651fb
commit 8bcf6af871
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Readme.md
View File

@ -1,11 +1,14 @@
# Juniper Host Checker Linux MITM RCE
## Intro
The Host Checker is a client side component that some Pulse Secure appliances may require in order to connect to the VPN. The Host Checker requests a policy from the server and perform basic checks on the client accordingly. Checks may include MAC Addresses, running process (ie: checking for an antivirus) and some others. While on Windows the plugin is an ActiveX component, in Linux, Solaris and OSX it is a Java Applet.
The Host Checker is a client side component that the [Pulse Connect Secure](https://www.pulsesecure.net/products/pulse-connect-secure/) appliance may require in order to connect to the VPN. The Host Checker requests a policy from the server and perform basic checks on the client accordingly. Checks may include MAC Addresses, running process (ie: checking for an antivirus) and some others. While on Windows the plugin is an ActiveX component, in Linux, Solaris and OSX it is a Java Applet.
Of course client checks can always be bypassed, and an open source (yet not well documented) implementation [do exist](https://raw.githubusercontent.com/russdill/juniper-vpn-py/master/tncc.py).
## Sumamry
Probably in order to still works with misconfigured instances, the Host Cheker does not check neither the validity of the server certificate nor its hostname. The server can set a malicious cookie, which can be used to exploit a command injection when the user is found not compliant. Note that a malicious server can force a user to be non compliant.
Probably in order to still work with misconfigured instances, the Host Cheker does not check neither the validity of the server certificate nor its hostname. The server can set a malicious cookie (or it can be done via DNS Rebinding), which can be used to exploit a command injection when the user is found not compliant. Note that a malicious server can force a user to be non compliant.
## Code
The client implement a custom protocol in order to talk to the server. For further reference, the [open source client](https://raw.githubusercontent.com/russdill/juniper-vpn-py/master/tncc.py) has reverse engineered and implemented the same protocol. The file ```tncc.jar``` is not obfuscated in any way and the originalk source code can be obtained with almost any Java decompiler.
### Certificate
Below are some extracts of code from the classes that handle the connection with the Pulse Connect Secure appliance.
In `net.juniper.tnc.client.HttpNAR.HttpNAR`:
```
private void trustAllCerts() throws Exception {
@ -64,6 +67,7 @@ Both function gets executed when initializing the connection to a server. From t
### Cookie
In order for the Host Checker to work two cookies are needed, `DSPREAUTH` and `DSSIGNIN`.
They can be either set by the server or from sending commands to a socket listening to all interfaces (but accepting connections only from localhost).
The following code updates the DSPREAUTH cookie when sending periodic updates to the server. Periodic updates may or may not be required depending on the policy configuration.
From `net.juniper.tnc.client.HttpNAR.HttpConnection`:
```
public int sendUpdate(final byte[] array, final ByteArrayOutputStream byteArrayOutputStream, final boolean b) throws Exception {
@ -100,6 +104,7 @@ From `net.juniper.tnc.client.HttpNAR.HttpConnection`:
```
### Command injection
When a client is found to be non compliant, remediation instructions have to be shown to the user in order to give him a chance to fix his problems.
In `net.juniper.tnc.client.HttpNAR.TNCHandshake`:
```
public void doCustomRemediateInstructions() {