Jump to content
Praetorian503

PFsense UTM Platform 2.0.1 XSS / CSRF

Recommended Posts

PFsense UTM Platform version 2.0.1 suffers from cross site request forgery and cross site scripting vulnerabilities.

???????????????????????????????????????????????????????????????????????????????
? Exploit Title: pfSense <= 2.0.1 XSS & CSRF during IPSec XAuth authentication
? Date: 04/01/2013
? Author: Dimitris Strevinas
? Vendor or Software Link: www.pfsense.org
? Version: <= 2.0.1
? Category: Semi-Persistent XSS & CSRF
? Google dork:
? Tested on: FreeBSD
???????????????????????????????????????????????????????????????????????????????


pfSense UTM distribution description
??????????????????????????????????????
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus.
[source: www.pfsense.org]
The IPSec VPN functionality on pfSense is implemented using the Racoon vpn concentrator software.


Vulnerability Summary
????????????????????????
pfSense versions 2.0.1 and prior are vulnerable to semi-persistent XSS and CSRF attack vectors, exploited by sending Javascript/HTML code as a username during the XAuth user authentication phase.
XAUTH provides extended authentication for IPSec telecommuters by using authentication schemes such as RADIUS or internal user databases. [source: www.ciscopress.org]
The vulnarability lies in diag_logs_ipsec.php which does not properly escape HTML characters in the Racoon log files.
It is assumed that the attacker has successfully completed IPSEC Phase 1 and Phase 2 based on one of the following schemes:
. Mutual RSA
. Mutual PSK
. Hybrid RSA
It should also be noted that newer pfSense version use CSRF-magic on the majority of Web GUI forms, thus the CSRF exploitation likelihood is minimized at least in the standard installation.


Exploit Path
???????????????
1) Perform the Phase 1 and Phase 2 using a VPN Client and known credentials/certificates
2) During the XAuth provide a username like "><script>alert("XSS")</script> and a random password
3) The reflection of the XSS/CSRF is in the logs under Status > System Logs > IPSec
The XSS "time-to-live" depends on the Racoon logging verbosity, max number of log lines and vpn activity. Nevertheless, it can be resubmitted to be shown again on top.


Solution
???????????
Patch available by vendor, streamlined to 2.1
URL: http://redmine.pfsense.org/projects/pfsense-tools/repository/revisions/0675bde3039a94ee2cadc360875095b797af018f


Credits & Contact
????????????????????
Dimitris Strevinas
Obrela Security Industries
CONTACT: www.obrela.com

Source: PacketStorm

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...