Browse Source

Updated writeup

Giulio 11 months ago
parent
commit
8bcf6af871
1 changed files with 7 additions and 2 deletions
  1. 7 2
      Readme.md

+ 7 - 2
Readme.md

@@ -1,11 +1,14 @@
 # Juniper Host Checker Linux MITM RCE
 ## Intro
-The Host Checker is a client side component that some Pulse Secure appliances may require in order to connect to the VPN. The Host Checker requests a policy from the server and perform basic checks on the client accordingly. Checks may include MAC Addresses, running process (ie: checking for an antivirus) and some others. While on Windows the plugin is an ActiveX component, in Linux, Solaris and OSX it is a Java Applet.
+The Host Checker is a client side component that the [Pulse Connect Secure](https://www.pulsesecure.net/products/pulse-connect-secure/) appliance may require in order to connect to the VPN. The Host Checker requests a policy from the server and perform basic checks on the client accordingly. Checks may include MAC Addresses, running process (ie: checking for an antivirus) and some others. While on Windows the plugin is an ActiveX component, in Linux, Solaris and OSX it is a Java Applet.
 Of course client checks can always be bypassed, and an open source (yet not well documented) implementation [do exist](https://raw.githubusercontent.com/russdill/juniper-vpn-py/master/tncc.py).
 ## Sumamry
-Probably in order to still works with misconfigured instances, the Host Cheker does not check neither the validity of the server certificate nor its hostname. The server can set a malicious cookie, which can be used to exploit a command injection when the user is found not compliant. Note that a malicious server can force a user to be non compliant.
+Probably in order to still work with misconfigured instances, the Host Cheker does not check neither the validity of the server certificate nor its hostname. The server can set a malicious cookie (or it can be done via DNS Rebinding), which can be used to exploit a command injection when the user is found not compliant. Note that a malicious server can force a user to be non compliant.
 ## Code
+The client implement a custom protocol in order to talk to the server. For further reference, the [open source client](https://raw.githubusercontent.com/russdill/juniper-vpn-py/master/tncc.py) has reverse engineered and implemented the same protocol. The file ```tncc.jar``` is not obfuscated in any way and the originalk source code can be obtained with almost any Java decompiler.
+
 ### Certificate
+Below are some extracts of code from the classes that handle the connection with the Pulse Connect Secure appliance.
 In `net.juniper.tnc.client.HttpNAR.HttpNAR`:
 ```
     private void trustAllCerts() throws Exception {
@@ -64,6 +67,7 @@ Both function gets executed when initializing the connection to a server. From t
 ### Cookie
 In order for the Host Checker to work two cookies are needed, `DSPREAUTH` and `DSSIGNIN`.
 They can be either set by the server or from sending commands to a socket listening to all interfaces (but accepting connections only from localhost).
+The following code updates the DSPREAUTH cookie when sending periodic updates to the server. Periodic updates may or may not be required depending on the policy configuration.
 From `net.juniper.tnc.client.HttpNAR.HttpConnection`:
 ```
     public int sendUpdate(final byte[] array, final ByteArrayOutputStream byteArrayOutputStream, final boolean b) throws Exception {
@@ -100,6 +104,7 @@ From `net.juniper.tnc.client.HttpNAR.HttpConnection`:
 ```
 
 ### Command injection
+When a client is found to be non compliant, remediation instructions have to be shown to the user in order to give him a chance to fix his problems.
 In `net.juniper.tnc.client.HttpNAR.TNCHandshake`:
 ```
     public void doCustomRemediateInstructions() {