exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Pulse Secure Client For Windows Local Privilege Escalation

Pulse Secure Client For Windows Local Privilege Escalation
Posted Jun 16, 2020
Authored by Marco Ortisi, redtimmysec, Giuseppe Cali | Site redtimmy.com

Red Timmy Sec has discovered that Pulse Secure Client for Windows suffers from a local privilege escalation vulnerability in the PulseSecureService.exe service.

tags | advisory, local
systems | windows
advisories | CVE-2020-13162
SHA-256 | 5f5a0396cb9bd8b8918531a470f34efbfce05c416ca68a1d578867b7468c1362

Pulse Secure Client For Windows Local Privilege Escalation

Change Mirror Download
Pulse Secure is recognized among the top 10 Network Access Control (NAC) 
vendors by global revenue market share. The company declares that "80%
of Fortune 500 trust its VPN products by protecting over 20 million
users".

At Red Timmy Security we have discovered that Pulse Secure Client for
Windows suffers of a local privilege escalation vulnerability in the
“PulseSecureService.exe” service. Exploiting this issue allows an
attacker to trick “PulseSecureService.exe” into running an arbitrary
Microsoft Installer executable (“.msi”) with SYSTEM privileges, granting
them administrative rights.

The vulnerability lies in the “dsInstallerService” component, which
provides non-administrative users the ability to install or update new
components using installers provided by Pulse Secure. While
“dsInstallerService” performs a signature verification on the content of
the installer, it has been found that it’s possible to bypass the check
providing the service with a legit Pulse Secure installer and swapping
it with a malicious one after the verification

We have registered CVE-2020-13162 for this vulnerability.

Full story here:
https://www.redtimmy.com/privilege-escalation/pulse-secure-client-for-windows-9-1-6-toctou-privilege-escalation-cve-2020-13162/

Disclosure Timeline
-------------------
Vulnerability discovered: April 13th, 2020
Vendor contacted: April 15th, 2020
Vendor's reply: April 17th, 2020
Vendor patch released: May 22nd, 2020
Red Timmy Disclosure: June 16th, 2020

Bug discovered by: Giuseppe Calì
Exploit by: Marco Ortisi & Giuseppe Calì
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    31 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close