Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Pulse Secure VPN arbitrary command execution #12515

Merged
merged 19 commits into from Nov 12, 2019
Merged

Conversation

@wvu-r7
Copy link
Contributor

wvu-r7 commented Oct 31, 2019

WIP (delayed waiting on #12517)

#12517 is non-essential to moving this forward. See #12511 for more information.

This is a follow-up to #12511.

  • Support authentication via creds? Don't be lazy! Haven't been able to retrieve plaintext creds
  • Implement check using #12517 and #12511 Resolved
msf5 exploit(linux/http/pulse_secure_cmd_exec) > info

       Name: Pulse Secure VPN Arbitrary Command Execution
     Module: exploit/linux/http/pulse_secure_cmd_exec
   Platform: Unix, Linux
       Arch: cmd, x86, x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2019-04-24

Provided by:
  Orange Tsai
  Meh Chang
  wvu <wvu@metasploit.com>

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Unix In-Memory
  1   Linux Dropper

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    443              yes       The target port (TCP)
  SID                       yes       Valid admin session ID
  SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT  8080             yes       The local port to listen on.
  SSL      true             no        Negotiate SSL/TLS for outgoing connections
  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                   no        The URI to use for this exploit (default is random)
  VHOST                     no        HTTP server virtual host

Payload information:

Description:
  This module exploits a post-auth command injection in the Pulse
  Secure VPN server to execute commands as root. The env(1) command is
  used to bypass application whitelisting and run arbitrary commands.
  Please see related module
  auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file
  read that is able to obtain plaintext and hashed credentials, plus
  session IDs that may be used with this exploit. A valid
  administrator session ID is required in lieu of untested SSRF.

References:
  https://cvedetails.com/cve/CVE-2019-11539/
  https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
  https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
  https://hackerone.com/reports/591295

Related modules:
  auxiliary/gather/pulse_secure_file_disclosure

msf5 exploit(linux/http/pulse_secure_cmd_exec) >
@wvu-r7 wvu-r7 added the needs-docs label Oct 31, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Nov 12, 2019

Attempting the SSRF-to-admin as a normal user against our test environment:

Access to the Web site is blocked by your administrator. Please notify your system administrator. Made https request for GET /admin/ HTTP/1.1 to 0:443 
wvu-r7 and others added 5 commits Nov 12, 2019
Co-Authored-By: bcoles <bcoles@gmail.com>
@wvu-r7 wvu-r7 removed the needs-docs label Nov 12, 2019
@wvu-r7 wvu-r7 changed the title [WIP] Add Pulse Secure VPN arbitrary command execution Add Pulse Secure VPN arbitrary command execution Nov 12, 2019
@wvu-r7 wvu-r7 removed the delayed label Nov 12, 2019
wvu-r7 added a commit that referenced this pull request Nov 12, 2019
@wvu-r7 wvu-r7 merged commit a8e289e into rapid7:master Nov 12, 2019
1 of 3 checks passed
1 of 3 checks passed
Metasploit Automation - Sanity Test Execution Build triggered for merge commit.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
msjenkins-r7 added a commit that referenced this pull request Nov 12, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Nov 12, 2019

Release Notes

The pulse_secure_cmd_exec module has been added to the framework. It is a post-auth remote root exploit against Pulse Secure VPN servers, bypassing the software's application whitelisting by using the env(1) command. It leverages access gained through the auxiliary/gather/pulse_secure_file_disclosure module, users may be able to authenticate this exploit without foreknowledge of credentials.

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/pulse branch Nov 12, 2019
@tdoan-r7 tdoan-r7 added the rn-modules label Dec 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.