Command Injection (via CVE-2019-11510 and CVE-2019-11539)

**Summary:** The Navy has a Pulse Secure SSL VPN (https://████████/dana-na/auth/url_default/welcome.cgi) that is vulnerable to: CVE-2019-11510 - Pre-auth Arbitrary File Reading CVE-2019-11539 - Post-auth Command Injection vulnerable hostname from ssl certificate: ██████████.navy.mil The pre-auth arbitrary file reading vulnerability (CVE-2019-11510) enables an un-authenicated user to read the file /data/runtime/mtmp/lmdb/dataa/data.mdb from the Pulse VPN device. This files contains admin and other users credentials in plain-text format. This information can be used to log into the pulse device as an administrator. Once logged in as an administrator, the post-auth command injection vulnerability (CVE-2019-11539) allows an attacker to execute commands on the device. Commands execution could lead to compromise to other servers on the network or malware implantation. There was a talk recently at Blackhat USA that goes into great detail of the vulnerabilities and how to exploit them. Exploit code was recently released to the public for this vulnerability. I would consider this an extremely critical issue, and others will be scanning your network trying to compromise this. The Pulse Secure version can be obtained from your device via a publicly available file here (https://██████████/dana-na/nc/nc_gina_ver.txt), so it is really easy to detect for attackers. Here are links to Blackhat presentation, Pulse Secure Security Bulletin, exploit code, video of exploit code in action and example report found on twitter's network. Blackhat 2019 Presentation https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf Pulse Secure Security Bulletin https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 Publicly available exploit code: https://raw.githubusercontent.com/projectzeroindia/CVE-2019-11510/master/CVE-2019-11510.sh Video of how exploit works: https://www.youtube.com/watch?v=v7JUMb70ON4&feature=youtu.be Example report found on Twitter's network https://hackerone.com/reports/591295 ## Impact Critical - I would consider this an extremely critical issue, and others will be scanning your network trying to compromise this. ## Step-by-step Reproduction Instructions 1. From macos/linux command line issue the following command; curl --path-as-is -s -k "https://███████/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" This will display the /etc/passwd file from the pulse secure device. This in itself it enough to confirm the presence of both vulnerabilities. I've attached screenshots of getting the vulnerable Pulse Secure version from the device, and confirming the arbitrary file read vulnerability. I did not attempt to login into your device as administrator. Reading /etc/passwd is enough to confirm the vulnerability exists. ## Product, Version, and Configuration (If applicable) Pulse Secure 9.0.1.63949 ## Suggested Mitigation/Remediation Actions Install updated firmware/os from the Pulse Secure Security Bulletin https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 ## Impact An attacker could compromise this device, and gain access to the DoD networks, compromise other servers, or implant malware.