The root SUID executable pulsesvc, has a function “do_upload” that unsafely calls a “sprintf” which can result in a buffer overflow. Because the “sprintf” writes the values on the stack, if a big enough string is passed to it, then it can result in the overwrite of the legitimate Return Address written on the stack.
The NVD disclosure for this vulnerability can be found here.
The exploit targets code that is accessed post client authentication, that means that in order to exploit this vulnerability an attacker would require one of the 3 scenarios:
- Hosting an attacker-controlled Pulse VPN Server
- A valid SSL/TLS certificate to host a dummy VPN server (Can be easily done with solutions such as “Let’s Encrypt”)
- Connecting to a legitimate Pulse VPN Server (User credentials/Client certificates may be found directly on the compromised client)
More details and the exploitation process can be found in this PDF.