About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Authenticated RCE in Pulse Secure VPN- 239

Jean-Frédéric GauronPosted 5 Years Ago
  • There is a pretty trivial command injection within an administrative feature of the VPN. It simply passes a command into system.
  • At this point, you think the game would be over. However, Pulse Secure hooks into the System function to strip certain characters in order to make exploits MUCH more difficult to make.
  • As demonstrated by Orange Tsi on previous attacks, they used error messages to execute Perl code in the context of the website.
  • However, it was NOT possible to actual run malicious shell commands from the System call. Instead they outputted the error message to a cache of another Perl file.
  • Once the cached version of a file was called, the Perl Code was executed, resulting in code execution :)
  • Simple bug but complex exploitation!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed