Pulse Secure VPN Arbitrary Command Execution
Posted by deepcore on November 13, 2019 – 2:10 pm
This Metasploit module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF.
Post a reply
You must be logged in to post a comment.