Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-11539 PoC — Pulse Secure Pulse Connect Secure和Pulse Policy Secure 命令操作系统命令注入漏洞

Source
https://github.com/0xDezzy/CVE-2019-11539
Associated Vulnerability
Title:Pulse Secure Pulse Connect Secure和Pulse Policy Secure 命令操作系统命令注入漏洞 (CVE-2019-11539)
Description:Pulse Secure Pulse Connect Secure(又名PCS,前称Juniper Junos Pulse)和Pulse Policy Secure都是美国Pulse Secure公司的产品。Pulse Connect Secure是一套SSL VPN解决方案。Pulse Policy Secure是一套网络准入控制解决方案。 Pulse Secure PCS和Pulse Policy Secure中存在参数操作系统命令注入漏洞,该漏洞源于外部输入数据构造命令参数的过程中,网络系统或产品未
Description
Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect
Readme
# CVE-2019-11539

### Original Discovery: [Orange Tsai](https://twitter.com/orange_8361), [Meh Chang](https://twitter.com/mehqq_)

### Authors: [Justin Wagner](https://twitter.com/0xDezzy), [Alyssa Herrera](https://twitter.com/Alyssa_Herrera_)

### Thanks to: [Orange](https://twitter.com/orange_8361), [Meh Chang](https://twitter.com/mehqq_), [Rich Warren](https://twitter.com/buffaloverflow), [Alyssa](https://twitter.com/Alyssa_Herrera_), [Mimir](https://twitter.com/XMPPWocky)
## Vulnerability Description
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

## Exploit Description
This exploit takes advantage of the [Post-Auth Remote Code Execution Vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2019-11539) and modifies the SSH configuration to allow a user to log in as root on the VPN appliance itself. It will download a new ssh configuration and authorized_keys file, backup the original, then overwrite the old files. Once this is done, it will send a SIGHUP to sshd-ive, restarting the process and loading the new configuration.

## Configuration
To use this exploit, you will need to modify the following:

The Host you are targeting:
```
...
host = 'REPLACE-WITH-IP-OR-FQDN' # Host to exploit
...
```
The admin login credentials for the VPN appliance:
```
# Login Credentials
user = 'admin' # Default Username
password = 'password' # Default Password
```
And the host to download the files from:
```
# Necessary for Curl
downloadHost = '' # IP or FQDN for host running webserver
port = '' # Port where web service is running. Needs to be a string, hence the quotes.
```

Once that is modified, you should be able to run the exploit without any issues. If the system is read only, you will need to modify the code and mount the system as read write. I will not do this for you. You need to have the knowledge of the system you are targeting.

A demo can be seen below:

## Demo
[![Image alt text](http://img.youtube.com/vi/HyWcRrJt1g0/0.jpg)](https://www.youtube.com/watch?v=HyWcRrJt1g0)

## Blog Post By [Alyssa Herrera](https://twitter.com/Alyssa_Herrera_)
You can find the blog post that Alyssa and I worked on [here](https://medium.com/@alyssa.o.herrera/pulse-secure-ssl-vpn-post-auth-rce-to-ssh-shell-2b497d35c35b)
File Snapshot

 [4.0K]  /data/pocs/d6c8d83f63de4bfa62b4469883ebc5df76591bf0
├── [   1]  CONTRIBUTING.md
├── [7.0K]  CVE-2019-11539.py
├── [4.0K]  img
│   └── [ 38K]  rooted-via-post-auth-rce.png
├── [ 34K]  LICENSE
└── [2.5K]  README.md

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.