module
Pulse Secure VPN Arbitrary File Disclosure
| Disclosed |
|---|
| Apr 24, 2019 |
Disclosed
Apr 24, 2019
Description
This module exploits a pre-auth directory traversal in the Pulse Secure
VPN server to dump an arbitrary file. Dumped files are stored in loot.
If the "Automatic" action is set, plaintext and hashed credentials, as
well as session IDs, will be dumped. Valid sessions can be hijacked by
setting the "DSIG" browser cookie to a valid session ID.
For the "Manual" action, please specify a file to dump via the "FILE"
option. /etc/passwd will be dumped by default. If the "PRINT" option is
set, file contents will be printed to the screen, with any unprintable
characters replaced by a period.
Please see related module exploit/linux/http/pulse_secure_cmd_exec for
a post-auth exploit that can leverage the results from this module.
VPN server to dump an arbitrary file. Dumped files are stored in loot.
If the "Automatic" action is set, plaintext and hashed credentials, as
well as session IDs, will be dumped. Valid sessions can be hijacked by
setting the "DSIG" browser cookie to a valid session ID.
For the "Manual" action, please specify a file to dump via the "FILE"
option. /etc/passwd will be dumped by default. If the "PRINT" option is
set, file contents will be printed to the screen, with any unprintable
characters replaced by a period.
Please see related module exploit/linux/http/pulse_secure_cmd_exec for
a post-auth exploit that can leverage the results from this module.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.