From 8bcf6af8716b19506f07d3e1d5964d564afa9265 Mon Sep 17 00:00:00 2001 From: Giulio Date: Fri, 14 Feb 2020 11:20:33 +0100 Subject: [PATCH] Updated writeup --- Readme.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index 9bbd1cf..00012cb 100644 --- a/Readme.md +++ b/Readme.md @@ -1,11 +1,14 @@ # Juniper Host Checker Linux MITM RCE ## Intro -The Host Checker is a client side component that some Pulse Secure appliances may require in order to connect to the VPN. The Host Checker requests a policy from the server and perform basic checks on the client accordingly. Checks may include MAC Addresses, running process (ie: checking for an antivirus) and some others. While on Windows the plugin is an ActiveX component, in Linux, Solaris and OSX it is a Java Applet. +The Host Checker is a client side component that the [Pulse Connect Secure](https://www.pulsesecure.net/products/pulse-connect-secure/) appliance may require in order to connect to the VPN. The Host Checker requests a policy from the server and perform basic checks on the client accordingly. Checks may include MAC Addresses, running process (ie: checking for an antivirus) and some others. While on Windows the plugin is an ActiveX component, in Linux, Solaris and OSX it is a Java Applet. Of course client checks can always be bypassed, and an open source (yet not well documented) implementation [do exist](https://raw.githubusercontent.com/russdill/juniper-vpn-py/master/tncc.py). ## Sumamry -Probably in order to still works with misconfigured instances, the Host Cheker does not check neither the validity of the server certificate nor its hostname. The server can set a malicious cookie, which can be used to exploit a command injection when the user is found not compliant. Note that a malicious server can force a user to be non compliant. +Probably in order to still work with misconfigured instances, the Host Cheker does not check neither the validity of the server certificate nor its hostname. The server can set a malicious cookie (or it can be done via DNS Rebinding), which can be used to exploit a command injection when the user is found not compliant. Note that a malicious server can force a user to be non compliant. ## Code +The client implement a custom protocol in order to talk to the server. For further reference, the [open source client](https://raw.githubusercontent.com/russdill/juniper-vpn-py/master/tncc.py) has reverse engineered and implemented the same protocol. The file ```tncc.jar``` is not obfuscated in any way and the originalk source code can be obtained with almost any Java decompiler. + ### Certificate +Below are some extracts of code from the classes that handle the connection with the Pulse Connect Secure appliance. In `net.juniper.tnc.client.HttpNAR.HttpNAR`: ``` private void trustAllCerts() throws Exception { @@ -64,6 +67,7 @@ Both function gets executed when initializing the connection to a server. From t ### Cookie In order for the Host Checker to work two cookies are needed, `DSPREAUTH` and `DSSIGNIN`. They can be either set by the server or from sending commands to a socket listening to all interfaces (but accepting connections only from localhost). +The following code updates the DSPREAUTH cookie when sending periodic updates to the server. Periodic updates may or may not be required depending on the policy configuration. From `net.juniper.tnc.client.HttpNAR.HttpConnection`: ``` public int sendUpdate(final byte[] array, final ByteArrayOutputStream byteArrayOutputStream, final boolean b) throws Exception { @@ -100,6 +104,7 @@ From `net.juniper.tnc.client.HttpNAR.HttpConnection`: ``` ### Command injection +When a client is found to be non compliant, remediation instructions have to be shown to the user in order to give him a chance to fix his problems. In `net.juniper.tnc.client.HttpNAR.TNCHandshake`: ``` public void doCustomRemediateInstructions() {