Open Source Firewall pfsense Vulnerable to Remote Code Execution Attacks


A popular open-source firewall software pfSense vulnerability has been identified, allowing for remote code execution (RCE) attacks.

The vulnerability, tracked as CVE-2022-31814, highlights potential risks in pfSense installations, particularly those using the pfBlockerNG package.

EHA

pfSense is a widely used, FreeBSD-based firewall and router software that offers enterprise-grade features and security. It is renowned for its flexibility and open-source nature, allowing users to configure robust network defenses through a web interface.

Identification of the Vulnerability

According to the laburity report, the vulnerability was uncovered during a routine security audit of a pfSense application. Initial attempts to exploit the system using default credentials proved unsuccessful.

However, further investigation revealed that the pfBlockerNG package was installed, leading researchers to test known exploits against it.

The exploit attempts initially failed, prompting a deeper dive into the root cause. Researchers discovered that while the system was vulnerable to RCE, the existing exploit scripts failed due to discrepancies in the Python and PHP versions installed on the target machine.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The debugging process revealed that the failure of the exploit was due to the absence of Python 3.8 on the target system, which was required by the exploit script. Additionally, issues in the PHP code were identified, necessitating modifications to the script.

Researchers successfully executed commands on the target server by adapting the exploit to work with Python 2 and adjusting the PHP code. The exploit in the source code looks like this:

"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"

If we just base64 decode the string, we will get the value as:

$a=fopen("/usr/local/www/system_advanced_control.php","w") or die();$t="";fwrite($a,$t);fclose( $a);?>

The updated exploit, now available on GitHub, employs multiple payloads to account for variations in Python and PHP versions, ensuring a higher success rate across diverse environments.

Updated Exploit Flow
Updated Exploit Flow

This incident underscores the importance of understanding the specific configurations and environments when conducting penetration tests. The failure of initial exploits highlights the need for flexibility and adaptability in security testing methodologies.

For pfSense users, staying updated on security patches and community advisories is crucial. Regular audits and a thorough understanding of the installed packages can mitigate potential vulnerabilities.

As open-source software plays a vital role in network security, maintaining vigilance and contributing to community-driven security efforts remain paramount.

The discovery of CVE-2022-31814 reminds us of the evolving nature of cybersecurity threats and the continuous need for proactive defense strategies.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access



Source link