Our certified specialists can work with you to find the best solution to deliver the business outcomes you need, no matter the challenge.
We take the time to understand your unique business needs and challenges. Our certified specialists can work with you to find the best solution that suits you.
We partner with over 100 leading-class vendors to provide the very best solution to match your unique business needs.
Are you interested in creating great solutions for complex problems? We'd love to hear from you.
Title: Pulse Secure Desktop Client (Windows) 5.3 Elevation of Privilege Vulnerability
CVE: CVE-2018-11002
Discovery: Matt Bush on behalf of The Missing Link Security
Vulnerability Details
Versions of Pulse Secure Desktop Client 5.3 up to and including R6.0 build 1769 on Windows contain an elevation of privilege vulnerability due to insecure file and directory ACLs.
The default installation of the product grants BUILTIN\Users members effective Modify permissions to the "C:\ProgramData\Pulse Secure\Logging" folder.
The PulseSecureService service runs as BUILTIN\System by default. When this service starts it attempts to open the file "debuglog.log" in the unsecured directory. If this file is not present (ie, the service is running for the first time, or if the file has been deleted), the service creates the file. The service grants members of the BUILTIN\Everyone group (F) permissions on this file.
When the service is not running, an attacker running in the context of an unprivileged user may abuse the weak permissions in order to create a directory junction and object manager symbolic link to cause an arbitrary file to be written to an arbitrary location when the service is started. The unprivileged attacker can then overwrite the contents of the created file with arbitrary content.
This vulnerability can be exploited to achieve elevation of privilege by leveraging it for DLL preloading in the PulseSecureService process, or to carry out DLL search order hijacking in other privileged processes.
Affected Versions
Pulse Secure Desktop Client 5.3 (All versions)
Remediation: Upgrade to Pulse Secure Desktop Client 9.0Rx.
CVSS 3.0 Base Score: 7.9
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/E:F
Timeline:
13/05/2018: Vendor notified and advised of 60 day disclosure deadline
17/05/2018: Vendor acknowledges report
26/07/2018: Vendor requests more time to test fixes
13/09/2018: Vendor is offered an additional 30 days to apply fixes
24/10/2018: Public disclosure
Copyright 2019. The Missing Link