CVE-2019-[12584-12585] : Command Injection Vulnerability on pfSense 2.4.4-RELEASE-p3

I. OVERVIEW

Author: Chi Tran

Vendor: NetGate

Product: NetGate PfSense

Version: 2.4.4-RELEASE-p3

CVE Reference: CVE-2019-12584 & CVE-2019-12585

 

II. ABOUT PFSENSE

  • pfSense® software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

III. VULNERABILITY DETAILS

  • What is APCUPSD? Apcupsd is a UPS control system that permits orderly shutdown of your computer in the event of a power failure.
  • An input validation error on “HOST field via apcupsd_status.php action (Authenticated) leads to a Command Injection Vulnerability (ACE) and a Self Cross-site Scripting Vulnerability (XSS). => Firewall Compromised as “root”
  • MISC: https://redmine.pfsense.org/issues/9556
  • Cause: When processing requests to /apcupsd_status.php, the firewall does not properly sanitize the certain POST parameter (strapcaccess).
  • Code audit:

      • As we can see above, after being supplied by an authenticated user, $_POST[‘strapcaccess’] will then be sent directly to be processed.
    puts("Running: apcaccess -h {$_POST['strapcaccess']} ");
    putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin");
    $ph = popen("apcaccess -h {$_POST['strapcaccess']} 2>&1", "r" );
    
  • Since the POST parameter was not sanitized properly, an attacker can perform command injection by inserting a semi-colon before new commands. This also leads to Self-XSS vulnerability.

 

 

  • Proof of Concepts:
1 - Navigate to https://192.168.1.1/apcupsd_status.php



2 - Input the following payload into "HOST" field:

+ Command Injection

Payload: ;cat /etc/passwd






+ Self-XSS:

Payload: <svg/onload=alert(document.domain)>


 

IV. IMPACT

  • Self-XSS attack could be used to perform several attack purposes such as session hijacking, client browser corruption, etc.
  • Command Injection in this case would lead to the Firewall Compromised as root

V. COMPROMISE THE FIREWALL

  • By default, pfSense is running as root. An attacker can compromise pfSense Firewall by using Command Injection vulnerability described above.
  • Determine web-root path:

  • Deploy a webshell:

 

V. REMEDIATION

 

VI. REPORT TIMELINE

  • 05.26.2019 – Bug reported
  • 05.28.2019 – Vendor released a fix
  • 06.02.2019 – CVE ID Assigned