CVE-2020-8249: Buffer Overflow in Pulse Secure VPN Linux Client# CVE-2020-8249: Buffer Overflow in Pulse Secure VPN Linux Client
The root SUID executable pulsesvc, has a function “do_upload” that unsafely calls a “sprintf” which can result in a buffer overflow. Because the “sprintf” writes the values on the stack, if a big enough string is passed to it, then it can result in the overwrite of the legitimate Return Address written on the stack.
### NVD Disclosure:
The NVD disclosure for this vulnerability can be found [here](https://nvd.nist.gov/vuln/detail/CVE-2020-8249).
### Requirements:
The exploit targets code that is accessed post client authentication, that means that in order to exploit this vulnerability an attacker would require one of the 3 scenarios:
- Hosting an attacker-controlled Pulse VPN Server
- A valid SSL/TLS certificate to host a dummy VPN server (Can be easily done with solutions such as “Let’s Encrypt”)
- Connecting to a legitimate Pulse VPN Server (User credentials/Client certificates may be found directly on the compromised client)
### Proof Of Concept:
More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2020-8249/blob/main/Pulse%20Secure%20VPN%20Linux%20Client%20-%20CVE-2020-8249.pdf).
[4.0K] /data/pocs/5aa7f8e7c556e340bda9ffdb4425bc44438bb30e
├── [1.6M] Pulse Secure VPN Linux Client - CVE-2020-8249.pdf
└── [1.2K] README.md
0 directories, 2 files