module
Pulse Secure VPN Arbitrary Command Execution
| Disclosed | Created |
|---|---|
| Apr 24, 2019 | Nov 12, 2019 |
Disclosed
Apr 24, 2019
Created
Nov 12, 2019
Description
This module exploits a post-auth command injection in the Pulse Secure
VPN server to execute commands as root. The env(1) command is used to
bypass application whitelisting and run arbitrary commands.
Please see related module auxiliary/gather/pulse_secure_file_disclosure
for a pre-auth file read that is able to obtain plaintext and hashed
credentials, plus session IDs that may be used with this exploit.
A valid administrator session ID is required in lieu of untested SSRF.
VPN server to execute commands as root. The env(1) command is used to
bypass application whitelisting and run arbitrary commands.
Please see related module auxiliary/gather/pulse_secure_file_disclosure
for a pre-auth file read that is able to obtain plaintext and hashed
credentials, plus session IDs that may be used with this exploit.
A valid administrator session ID is required in lieu of untested SSRF.
Authors
Orange Tsai
Meh Chang
wvu wvu@metasploit.com
Meh Chang
wvu wvu@metasploit.com
Platform
Linux,Unix
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.