Path Traversal in pfSense

Package – pfSense

Loginsoft-2020-1009
feb 27, 2020

Repository: – https://github.com/pfsense/pfsense-packages/tree/master/config/pfblockerng

Issues: – Arbitrary file download and deletion in pfblockerNG package.

Vulnerability Description: – The software does not strongly restrict or incorrectly restricts the access to a resource from an unauthorized actor.

Vulnerability Classification:-

CWE: 284
Base Score: 6.5
CVSS: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Steps to reproduce:-
  • Login as an admin and visit https://192.168.1.1/pfblockerng/pfblockerng_log.php.
  • Select log/file type (like DNSBL files).
  • For (DNSBL files), select file from log/file selection. For example,  taking the first one in our case (Abuse_DOMBL.txt).  Now you’ll be able to see the log file details (like log file path and option to download, delete).
  • To reproduce the issue, click on the delete option you’ll see the prompt. Before clicking ‘ok’ intercept the POST request and modify the “logfile” parameter to ‘/usr/local/www/crash_reporter.php ’ and forward the request.

Similarly for download file option, intercept the POST request and modify the “logfile” parameter to ‘/etc/passwd ’ and forward the request.

Exploitation:-

An attacker can exploit the delete in pfblockerNG, log browser functionality to remove files available in the project directory.

Apart from that particular file, we also managed to delete any file available in the other directory, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the webserver.

passwd file content

Mitigation: To protect the application from this weakness it is advised to follow these instructions:

  • Normalizing user-supplied input against such attacks like Path/Directory Traversal