module

Pulse Secure VPN gzip RCE

Disclosed	Created
Oct 26, 2020	Dec 18, 2020

Disclosed

Oct 26, 2020

Created

Dec 18, 2020

Description

The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability
which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root.
Admin credentials are required for successful exploitation.
Of note, MANY binaries are not in `$PATH`, but are located in `/home/bin/`.

Authors

h00die
Spencer McIntyre
Richard Warren [email protected]
David Cash [email protected]

Platform

Linux,Unix

Architectures

cmd, x86, x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/linux/http/pulse_secure_gzip_rce
    msf exploit(pulse_secure_gzip_rce) > show targets
        ...targets...
    msf exploit(pulse_secure_gzip_rce) > set TARGET < target-id >
    msf exploit(pulse_secure_gzip_rce) > show options
        ...show and set options...
    msf exploit(pulse_secure_gzip_rce) > exploit

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report