└── README.md
/README.md:
--------------------------------------------------------------------------------
1 | # [CVE-2019-12949] From Cross Site Scripting Vulnerability to Remote Code Execution in pfSense 2.4.4-p2 and 2.4.4-p3
2 |
3 | ## Information Description:
4 |
5 | In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trich the authenticated administrator into clicking on a button on a phishing page, an attacker can upload arbitrary executable code via ding_command.php and rrd_fetch_json.php, to a server. Then, the remote attacker can run any command with root privileges on that server.
6 |
7 | **Researcher: Enter of The Tarantula Team, VinCSS (a member of Vingroup)**
8 |
9 | # PoC XSS
10 | Attack vector: **https://pfSense_IP_Address/rrd_fetch_json.php**
11 |
12 | Send a POST request:
13 |
14 | ```html
15 |
29 | ```
30 |
31 | # XSS to RCE
32 |
33 | Attacker can create a phishing site like this to exploit the XSS vulnerability on pfsense:
34 |
35 | ```html
36 |
50 | ```
51 |
52 | The payload.js file in attacker's server will contain the following Javascript code (Payload):
53 |
54 | ```javascript
55 |
75 | ```
76 |
77 | The shell.txt file in attacker's server will contain any PHP webshell contents, like this:
78 |
79 | ```php
80 |
84 | ```
85 |
86 | Finally, the attacker will trick the authenticated pfsense administrators (victim) to access the phishing site and click the 'Submit' button on phishing site. Then the victim will be redirected to the pfsense admin site, and webshell of the attacker will automatically be successfully loaded onto pfsense server.
87 |
88 | From there, the remote attacker can execute arbitrary code as root on pfsense server:
89 |
90 | ```
91 | https://[PFsense-domain]/a.php?cmd=whoami
92 | https://[PFsense-domain]/a.php?cmd=ls
93 | ```
94 |
--------------------------------------------------------------------------------