module
Pulse Secure VPN Arbitrary File Disclosure
| Disclosed | Created |
|---|---|
| Apr 24, 2019 | Nov 12, 2019 |
Disclosed
Apr 24, 2019
Created
Nov 12, 2019
Description
This module exploits a pre-auth directory traversal in the Pulse Secure
VPN server to dump an arbitrary file. Dumped files are stored in loot.
If the "Automatic" action is set, plaintext and hashed credentials, as
well as session IDs, will be dumped. Valid sessions can be hijacked by
setting the "DSIG" browser cookie to a valid session ID.
For the "Manual" action, please specify a file to dump via the "FILE"
option. /etc/passwd will be dumped by default. If the "PRINT" option is
set, file contents will be printed to the screen, with any unprintable
characters replaced by a period.
Please see related module exploit/linux/http/pulse_secure_cmd_exec for
a post-auth exploit that can leverage the results from this module.
VPN server to dump an arbitrary file. Dumped files are stored in loot.
If the "Automatic" action is set, plaintext and hashed credentials, as
well as session IDs, will be dumped. Valid sessions can be hijacked by
setting the "DSIG" browser cookie to a valid session ID.
For the "Manual" action, please specify a file to dump via the "FILE"
option. /etc/passwd will be dumped by default. If the "PRINT" option is
set, file contents will be printed to the screen, with any unprintable
characters replaced by a period.
Please see related module exploit/linux/http/pulse_secure_cmd_exec for
a post-auth exploit that can leverage the results from this module.
Authors
Orange Tsai
Meh Chang
Alyssa Herrera
Justin Wagner
wvu wvu@metasploit.com
Meh Chang
Alyssa Herrera
Justin Wagner
wvu wvu@metasploit.com
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.