Pulse Secure Windows Client <9.1.6 (CVE-2020-13162) - exploit

Today we are proud to release the exploit for PulseSecure client (CVE-2020-13162). More details here. This was supposed to be published sooner. We apologize for the delay, but the Blackhat event has kept us quite busy.

You can find both the exploit source code (tu-TOCTOU-kaiù-TOCMEU) and compiled binary file in our github. Let us spend few words about it. Compile the source code as 32-bit binary, otherwise the exploit will not work. If you do so, you can successfully launch it against either x86 or x86_64 vulnerable systems. Otherwise you get in your hand a beautiful 64bit binary which is ornamental as it will not work.

We utilized Visual Studio 2015 Community edition for compiling. Anyway, if you want to skip that step ( and trust us 🙂 ) you can use the binary file already compiled into the “bin” folder.

Regardless of your decision, you have to run the exploit from command line like this:

C:\Users\slurpy\exploit\> tu-TOCTOU-kaiù-TOCMEU.exe

The exploit must be copied in the same folders with other two files (both of them already included in the “bin” directory):

  • evil.msi: it is the component that will be executed after the exploit manages to acquire high privileges. It is nothing more than a C compiled file invoking “cmd.exe” via “system()” call, packed into a MSI archive. It is so simple that we are not even going to release the source code.
  • PulseSecureInstallerService.exe: this is a Pulse Secure signed binary the Pulse Secure client will attempt to install with high privileges. The same high privileges that the exploit will try to abuse in order to launch “evil.msi” and give you back a command prompt with “NT_AUTHORITY/SYSTEM” rights.

Of course the main prerequisite is that a version minor than 9.1.6 of Pulse Secure client is installed in the target system.

This is the output of the tool when the vulnerability is successfully exploited:

[@] Hello cicci! If the exploit fails or just want to re-launch, delete the folder C:\ProgramData\Pulse Secure\Installers and all the files inside there, before to re-run it
[*] Creating a new directory...
[*] Creating our magic file...
[*] Launching thread1...
[*] Creating an exclusive oplock for msiexec.exe...
[*] Oplock creation successful...
[*] Running PulseSecureInstallerService...
[*] Copy evil file to destination folder...
Closing Handle
[*] Oplock released...
[!] If you are lucky, enjoy your high privileged shell!

At that point a new windows “cmd.exe” should pop up with high privileges:

That’s all! As usual do not forget to follow us on twittergithub and above all have a look at the Red Timmy Academy page to get our last courses and trainings.