CVE-2018-15749 - Use of Externally-Controlled Format String

Severity

21%

Complexity

39%

Confidentiality

48%

The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Format String Vulnerability.

The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Format String Vulnerability.

CVSS 3.0 Base Score 5.5. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVSS 2.0 Base Score 2.1. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N).

Demo Examples

Use of Externally-Controlled Format String

CWE-134

The following program prints a string provided as an argument.


               
}

                     
printf(string);

                     
return (0);

The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

Use of Externally-Controlled Format String

CWE-134

The following code copies a command line argument into a buffer using snprintf().


               
}
snprintf(buf,128,argv[1]);

This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.

Use of Externally-Controlled Format String

CWE-134

Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:


               
printf("%d %d %1$d %1$d\n", 5, 9);

This code produces the following output: 5 9 5 5 It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in the first example.

Overview

Type

Pulse Secure Pulse Secure Desktop Client

First reported 6 years ago

2018-09-06 23:29:00

Last updated 4 years ago

2020-05-11 19:20:00

Affected Software

Pulse Secure Pulse Secure Desktop Client 5.3r1 for macOS

5.3r1
macos

Pulse Secure Pulse Secure Desktop Client 5.3r1.1 for macOS

5.3r1.1
macos

Pulse Secure Pulse Secure Desktop Client 5.3r2 for macOS

5.3r2
macos

Pulse Secure Pulse Secure Desktop Client 5.3r3 for macOS

5.3r3
macos

Pulse Secure Pulse Secure Desktop Client 5.3r4 for macOS

5.3r4
macos

Pulse Secure Pulse Secure Desktop Client 5.3r4.1 for macOS

5.3r4.1
macos

Pulse Secure Pulse Secure Desktop Client 5.3r4.2 for macOS

5.3r4.2
macos

Pulse Secure Pulse Secure Desktop Client 9.0r1 for macOS

9.0r1
macos

References

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.