CVE-2019-[12584-12585] : Command Injection Vulnerability on pfSense 2.4.4-RELEASE-p3
- Author: Chi Tran
- Vendor: NetGate
- Product: NetGate PfSense
- Version: 2.4.4-RELEASE-p3
- CVE Reference: CVE-2019-12584 & CVE-2019-12585
What is APCUPSD? Apcupsd is a UPS control system that permits orderly shutdown of your computer in the event of a power failure.
An input validation error on
HOST field via
apcupsd_status.php action (Authenticated) leads to a
Command Injection Vulnerability (ACE) and a Self Cross-site Scripting Vulnerability (XSS)
Cause: When processing requests to
apcupsd_status.php, the firewall does not properly sanitize the certain POST parameter (
As we can see above, after being supplied by an authenticated user,
$_POST['strapcaccess'] will then be sent directly to be processed.
Since the POST parameter was not sanitized properly, an attacker can perform command injection by inserting a semi-colon before new commands. This also leads to Self-XSS vulnerability.
Proof of Concepts:
1 - Navigate to https://192.168.1.1/apcupsd_status.php
2 - Input the following payload into
;cat /etc/passwd (RCE)
<svg/onload=alert(document.domain)> (Self XSS)
Self-XSS attack could be used to perform several attack purposes such as session hijacking, client browser corruption, etc.
Command Injection in this case would lead to the Firewall Compromised as root
By default, pfSense is running as root. An attacker can compromise pfSense Firewall by using Command Injection vulnerability described above.
- Determine web-root path:
- Deploy a webshell:
2019/05/26 - Bug reported
2019/05/28 - Vendor released a fix
2019/06/02 - CVE ID Assigned