Full Disclosure: Authenticated Command Execution Vulnerability in pfSense <= 2.3.1_1 (pfSense-SA-16_08.webgui)

On 05/19/2016 Scott White of TrustedSec discovered an authenticated command injection vulnerability in pfSense. It was responsibly disclosed to pfSense (security@pfsense.org) on 06/08/2016 and promptly fixed by the pfSense development team. TrustedSec wants to thank the pfSense team for the impressive response time and for providing a great open source project.

Although the vulnerability was discovered over a year ago and was publicly disclosed by pfSense (please see the security advisory at https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc), full exploitation details were not released. As some readers may or may not know, TrustedSec runs the DerbyCon CTF contest in Louisville, KY each year. When coming up with challenges for the contest each year, we try to incorporate real-world vulnerabilities alongside hacking methodologies and techniques that we regularly use as penetration testers. This year we decided to include a customized pfSense system requiring a multi-step hack in order to root the box.

The command-injection vulnerability lies within auth.inc via system_groupmanager.php (System menu–>User Manager–>Groups) and is exploited using the “members” parameter.

 

 

 

The vulnerability allows an authenticated WebGUI user with privileges for the system_groupmanager.php page to execute commands in the context of the root user.

The following proof of concept example was used to demonstrate the presence of the vulnerability:

'`whoami>/usr/local/www/whoami.txt`'

 

The output of the command executed was then viewed in the webroot:

http://<address>/whoami.txt

The winning team of the DerbyCon CTF, “SpicyWeasel”, has published their account of the contest (https://labs.nettitude.com/blog/derbycon-2017-ctf-write-up/) and solutions including how they managed to root the pfSense box.  Since exploitation details are now public, we wanted to also illustrate the initial discovery payload which differed slightly from how the command execution was achieved during the CTF.  The vulnerability details are also archived at https://www.exploit-db.com/exploits/43128/

Scott White

Author: Scott White

Scott White is a Principal Security Consultant for Cleveland-based TrustedSec. He joined TrustedSec’s founder, David Kennedy, after years of working closely with him in both corporate and consulting atmospheres. Scott’s expertise in pen testing and web application security stems from his years of unique experience ranging from web development, source code analysis, penetration testing, web application security, zero-day research, and exploit development. Scott has experience in performing penetration tests against both IBM z/OS and IBM iSeries with a focus on web applications. Having been the technical editor for several books including the popular “Metasploit: The Penetration Tester’s Guide”, holding degrees in computer science (BS with distinction) and network security (MS Summa cum Laude), he has been called upon not only academically but also professionally by the FBI and Secret Service as a subject matter expert. Scott developed several application security programs for large international companies. As the global application security team lead for a Fortune 1000 company, Scott performed several hundred web application security assessments including static code analysis, dynamic testing (grey box), and penetration testing. Scott was instrumental in developing the entire process from developer education and awareness, secure coding practices, and to final approval reviews for production.