vendors by global revenue market share. The company declares that "80%
of Fortune 500 trust its VPN products by protecting over 20 million
users".
At Red Timmy Security we have discovered that Pulse Secure
Client for
Windows suffers of a local privilege escalation vulnerability in
the
“PulseSecureService.exe” service. Exploiting this issue allows
an
attacker to trick “PulseSecureService.exe” into running an
arbitrary
Microsoft Installer executable (“.msi”) with SYSTEM privileges,
granting
them administrative rights.
The vulnerability lies in the “dsInstallerService” component,
which
provides non-administrative users the ability to install or update
new
components using installers provided by Pulse Secure. While
“dsInstallerService” performs a signature verification on the
content of
the installer, it has been found that it’s possible to bypass the
check
providing the service with a legit Pulse Secure installer and
swapping
it with a malicious one after the verification
We have registered CVE-2020-13162 for this vulnerability.
Full story here:
https://www.redtimmy.com/privilege-escalation/pulse-secure-client-for-windows-9-1-6-toctou-privilege-escalation-cve-2020-13162/
Disclosure Timeline
-------------------
Vulnerability discovered: April 13th, 2020
Vendor contacted: April 15th, 2020
Vendor's reply: April 17th, 2020
Vendor patch released: May 22nd, 2020
Red Timmy Disclosure: June 16th, 2020
Bug discovered by: Giuseppe Calì
Exploit by: Marco Ortisi & Giuseppe Calì
Read more https://packetstormsecurity.com/files/158117/pulsesecure-escalate.txt
