Original Discovery: Orange Tsai, Meh Chang
Authors: Justin Wagner, Alyssa Herrera
Thanks to: Orange, Meh Chang, Rich Warren, Alyssa, Mimir
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
This exploit takes advantage of the Post-Auth Remote Code Execution Vulnerability and modifies the SSH configuration to allow a user to log in as root on the VPN appliance itself. It will download a new ssh configuration and authorized_keys file, backup the original, then overwrite the old files. Once this is done, it will send a SIGHUP to sshd-ive, restarting the process and loading the new configuration.
To use this exploit, you will need to modify the following:
The Host you are targeting:
...
host = 'REPLACE-WITH-IP-OR-FQDN' # Host to exploit
...
The admin login credentials for the VPN appliance:
# Login Credentials
user = 'admin' # Default Username
password = 'password' # Default Password
And the host to download the files from:
# Necessary for Curl
downloadHost = '' # IP or FQDN for host running webserver
port = '' # Port where web service is running. Needs to be a string, hence the quotes.
Once that is modified, you should be able to run the exploit without any issues. If the system is read only, you will need to modify the code and mount the system as read write. I will not do this for you. You need to have the knowledge of the system you are targeting.
A demo can be seen below:
Blog Post By Alyssa Herrera
You can find the blog post that Alyssa and I worked on here