A weak firewall can cost you a lot and most importantly if the firewall is very feeble in countering the un-authorized access, there is a clear cut way to expose the targeted sensitive data along with:

  • Illegal access to protected information
  • Manipulation of the credential data
  • Spread, Span or Scam the sensitive data
  • Access illegal sites/ Downloads illegal softwares etc.,

During a part of our research program, we came across such flaccid firewall of a renowned network protector, pfSense., which typically serves as DHCP server, DNS server, WIFI access point, and VPN server which run on the same hardware device. Many small and medium enterprises implement pfSense which is captioned as world’s most trusted open source firewall.

This software easily paves the path to un-ethical intruders to access the sensitive information available in the root directories, read them and can delete them effortlessly but cannot write them. We have also observed here that, pfSense is vulnerable to this type of attack as it is depending on third party libraries to address some functionality.

We have furnished our research process in detail to bring awareness on how easily the firewall can be bypassed to attack the crucial data.

Repository: – https://github.com/pfsense/pfsense-packages/tree/master/config/pfblockerng

Issues: – Arbitrary file download and deletion in pfblockerNG package.

Vulnerability Description: – The software does not strongly restrict or incorrectly restricts the access to a resource from an unauthorized actor.

Steps to reproduce:

  • Login as an admin and visit https://192.168.1.1/pfblockerng/pfblockerng_log.php.
  • Select log/file type (like DNSBL files).
  • For (DNSBL files), select file from log/file selection. For example, taking the first one in our case (Abuse_DOMBL.txt).
  • Now you’ll be able to see the log file details (like log file path and option to download, delete).
  • To reproduce the issue, click on delete option you’ll see the prompt. Before clicking ‘ok’ intercept the POST request and modify the “logfile” parameter to ‘/usr/local/www/crash_reporter.php ’ and forward the request.
  • Similarly for download file option, intercept the POST request and modify the “logfile” parameter to ‘/etc/passwd ’ and forward the request.

Exploitation:

An attacker can exploit the delete in pfblockerNG, log browser functionality to remove files available in the project directory.

Apart from that particular file, we also managed to delete the any file available in the other directory; an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the webserver.

passwd file content

Mitigation: To protect the application from this weakness it is advised to follow these instructions:

  • Normalizing user-supplied input against such attacks like Path/Directory Traversal

Conclusion:

Loginsoft is a dedicated web security assessment and research company with an exceptional team of white hat professionals who are always on job to assist on-demand open source applications from the perspective of cyber security. We are ever ready to offer our assistance to strengthen your security walls.

Stay Alert. Stay Secure
Loginsoft