Discovered by Matt Bush on behalf of The Missing Link Security
Versions of Pulse Secure Desktop Client 5.3 up to and including R6.0 build 1769 on Windows contain an elevation of privilege vulnerability due to insecure file and directory ACLs.
The default installation of the product grants BUILTIN\Users members effective Modify permissions to the "C:\ProgramData\Pulse Secure\Logging" folder.
The PulseSecureService service runs as BUILTIN\System by default. When this service starts it attempts to open the file "debuglog.log" in the unsecured directory. If this file is not present (ie, the service is running for the first time, or if the file has been deleted), the service creates the file. The service grants members of the BUILTIN\Everyone group (F) permissions on this file.
When the service is not running, an attacker running in the context of an unprivileged user may abuse the weak permissions in order to create a directory junction and object manager symbolic link to cause an arbitrary file to be written to an arbitrary location when the service is started. The unprivileged attacker can then overwrite the contents of the created file with arbitrary content.
This vulnerability can be exploited to achieve elevation of privilege by leveraging it for DLL preloading in the PulseSecureService process, or to carry out DLL search order hijacking in other privileged processes.
Pulse Secure Desktop Client 5.3 (All versions)
Remediation: Upgrade to Pulse Secure Desktop Client 9.0Rx.
CVSS 3.0 Base Score: 7.9
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/E:F
Timeline:
13/05/2018: Vendor notified and advised of 60 day disclosure deadline
17/05/2018: Vendor acknowledges report
26/07/2018: Vendor requests more time to test fixes
13/09/2018: Vendor is offered an additional 30 days to apply fixes
24/10/2018: Public disclosure
