GitHub - 0xDezzy/CVE-2019-11539: Exploit for the Post-Auth RCE vulnerability in...
source link: https://github.com/0xDezzy/CVE-2019-11539
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Original Discovery: Orange Tsai, Meh Chang
Authors: Justin Wagner, Alyssa Herrera
Thanks to: Orange, Meh Chang, Rich Warren, Alyssa, Mimir
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
This exploit takes advantage of the Post-Auth Remote Code Execution Vulnerability and modifies the SSH configuration to allow a user to log in as root on the VPN appliance itself. It will download a new ssh configuration and authorized_keys file, backup the original, then overwrite the old files. Once this is done, it will send a SIGHUP to sshd-ive, restarting the process and loading the new configuration.
To use this exploit, you will need to modify the following:
The Host you are targeting:
... host = 'REPLACE-WITH-IP-OR-FQDN' # Host to exploit ...
The admin login credentials for the VPN appliance:
# Login Credentials user = 'admin' # Default Username password = 'password' # Default Password
And the host to download the files from:
# Necessary for Curl downloadHost = '' # IP or FQDN for host running webserver port = '' # Port where web service is running. Needs to be a string, hence the quotes.
Once that is modified, you should be able to run the exploit without any issues. If the system is read only, you will need to modify the code and mount the system as read write. I will not do this for you. You need to have the knowledge of the system you are targeting and if you don't, you shouldn't be using this exploit.
A demo can be seen below:
Blog Post By Alyssa Herrera
You can find the blog post that Alyssa and I worked on here
Aggregate valuable and interesting links.
Joyk means Joy of geeK