|
@@ -1,11 +1,14 @@
|
|
|
# Juniper Host Checker Linux MITM RCE
|
|
|
## Intro
|
|
|
-The Host Checker is a client side component that some Pulse Secure appliances may require in order to connect to the VPN. The Host Checker requests a policy from the server and perform basic checks on the client accordingly. Checks may include MAC Addresses, running process (ie: checking for an antivirus) and some others. While on Windows the plugin is an ActiveX component, in Linux, Solaris and OSX it is a Java Applet.
|
|
|
+The Host Checker is a client side component that the [Pulse Connect Secure](https://www.pulsesecure.net/products/pulse-connect-secure/) appliance may require in order to connect to the VPN. The Host Checker requests a policy from the server and perform basic checks on the client accordingly. Checks may include MAC Addresses, running process (ie: checking for an antivirus) and some others. While on Windows the plugin is an ActiveX component, in Linux, Solaris and OSX it is a Java Applet.
|
|
|
Of course client checks can always be bypassed, and an open source (yet not well documented) implementation [do exist](https://raw.githubusercontent.com/russdill/juniper-vpn-py/master/tncc.py).
|
|
|
## Sumamry
|
|
|
-Probably in order to still works with misconfigured instances, the Host Cheker does not check neither the validity of the server certificate nor its hostname. The server can set a malicious cookie, which can be used to exploit a command injection when the user is found not compliant. Note that a malicious server can force a user to be non compliant.
|
|
|
+Probably in order to still work with misconfigured instances, the Host Cheker does not check neither the validity of the server certificate nor its hostname. The server can set a malicious cookie (or it can be done via DNS Rebinding), which can be used to exploit a command injection when the user is found not compliant. Note that a malicious server can force a user to be non compliant.
|
|
|
## Code
|
|
|
+The client implement a custom protocol in order to talk to the server. For further reference, the [open source client](https://raw.githubusercontent.com/russdill/juniper-vpn-py/master/tncc.py) has reverse engineered and implemented the same protocol. The file ```tncc.jar``` is not obfuscated in any way and the originalk source code can be obtained with almost any Java decompiler.
|
|
|
+
|
|
|
### Certificate
|
|
|
+Below are some extracts of code from the classes that handle the connection with the Pulse Connect Secure appliance.
|
|
|
In `net.juniper.tnc.client.HttpNAR.HttpNAR`:
|
|
|
```
|
|
|
private void trustAllCerts() throws Exception {
|
|
@@ -64,6 +67,7 @@ Both function gets executed when initializing the connection to a server. From t
|
|
|
### Cookie
|
|
|
In order for the Host Checker to work two cookies are needed, `DSPREAUTH` and `DSSIGNIN`.
|
|
|
They can be either set by the server or from sending commands to a socket listening to all interfaces (but accepting connections only from localhost).
|
|
|
+The following code updates the DSPREAUTH cookie when sending periodic updates to the server. Periodic updates may or may not be required depending on the policy configuration.
|
|
|
From `net.juniper.tnc.client.HttpNAR.HttpConnection`:
|
|
|
```
|
|
|
public int sendUpdate(final byte[] array, final ByteArrayOutputStream byteArrayOutputStream, final boolean b) throws Exception {
|
|
@@ -100,6 +104,7 @@ From `net.juniper.tnc.client.HttpNAR.HttpConnection`:
|
|
|
```
|
|
|
|
|
|
### Command injection
|
|
|
+When a client is found to be non compliant, remediation instructions have to be shown to the user in order to give him a chance to fix his problems.
|
|
|
In `net.juniper.tnc.client.HttpNAR.TNCHandshake`:
|
|
|
```
|
|
|
public void doCustomRemediateInstructions() {
|