Shield your Firewall to Strive Against Sensitive Data Disclosure

Q: How can this vulnerability be mitigated?

Mitigation involves implementing strict input normalization to block directory traversal attacks, updating to patched pfBlockerNG versions, and following secure coding practices for resource access restrictions.

Introduction

Firewalls are critical barriers in network security, but weaknesses in their configuration or underlying software can expose sensitive data to unauthorized access. This blog post explores a specific vulnerability discovered in pfSense, a widely trusted open-source firewall solution popular among small and medium enterprises. The issue, stemming from the pfBlockerNG package, allows authenticated attackers to perform arbitrary file reads and deletions through path traversal attacks, potentially leading to data disclosure, system disruption, or further exploitation.

Key Takeaways

pfSense's pfBlockerNG package is vulnerable to path traversal, enabling authenticated admins to download sensitive files (e.g., /etc/passwd) or delete arbitrary files.
The vulnerability arises from insufficient input validation and reliance on third-party libraries, allowing bypass of access restrictions.
Attackers can exploit this to read protected information, delete critical files, or facilitate code execution on the server.
Mitigation involves normalizing user input to prevent directory traversal attacks and applying relevant patches.

A weak firewall can cost you a lot and most importantly if the firewall is very feeble in countering the un-authorized access, there is a clear cut way to expose the targeted sensitive data along with:

Illegal access to protected information
Manipulation of the credential data
Spread, Span or Scam the sensitive data
Access illegal sites/ Downloads illegal softwares etc.,

During a part of our research program, we came across such flaccid firewall of a renowned network protector, pfSense., which typically serves as DHCP server, DNS server, WIFI access point, and VPN server which run on the same hardware device. Many small and medium enterprises implement pfSense which is captioned as world's most trusted open source firewall.

This software easily paves the path to un-ethical intruders to access the sensitive information available in the root directories, read them and can delete them effortlessly but cannot write them. We have also observed here that, pfSense is vulnerable to this type of attack as it is depending on third party libraries to address some functionality.

We have furnished our research process in detail to bring awareness on how easily the firewall can be bypassed to attack the crucial data.

Repository: - https://github.com/pfsense/pfsense-packages/tree/master/config/pfblockerng

Issues: - Arbitrary file download and deletion in pfblockerNG package.

Vulnerability Description: - The software does not strongly restrict or incorrectly restricts the access to a resource from an unauthorized actor.

Steps to reproduce:

Login as an admin and visit https://192.168.1.1/pfblockerng/pfblockerng_log.php.
Select log/file type (like DNSBL files).
For (DNSBL files), select file from log/file selection. For example, taking the first one in our case (Abuse_DOMBL.txt).
Now you'll be able to see the log file details (like log file path and option to download, delete).
To reproduce the issue, click on delete option you'll see the prompt. Before clicking 'ok' intercept the POST request and modify the "logfile" parameter to '/usr/local/www/crash_reporter.php' and forward the request.

Similarly for download file option, intercept the POST request and modify the 'logfile' parameter to '/etc/passwd' and forward the request.

Exploitation:

An attacker can exploit the delete in pfblockerNG, log browser functionality to remove files available in the project directory.

Apart from that particular file, we also managed to delete the any file available in the other directory; an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the webserver.

passwd file content

Mitigation: To protect the application from this weakness it is advised to follow these instructions:

Normalizing user-supplied input against such attacks like Path/Directory Traversal

Conclusion:

Loginsoft is a dedicated web security assessment and research company with an exceptional team of white hat professionals who are always on job to assist on-demand open source applications from the perspective of cyber security. We are ever ready to offer our assistance to strengthen your security walls.

FAQs

1. What is the main vulnerability discussed in this pfSense issue?

The pfBlockerNG package in pfSense suffers from a path traversal vulnerability, allowing arbitrary file downloads and deletions by manipulating the 'logfile' parameter in POST requests.

2. Who can exploit this vulnerability?

It requires authentication as an admin user, so it's exploitable by anyone with valid admin credentials or through credential compromise.

3. What files can be accessed or deleted?

Attackers can download readable files like /etc/passwd and delete files across directories, including those outside the intended project scope (though writing new files is not possible).

4. How can this vulnerability be mitigated?

Implement strict input normalization to block path/directory traversal attacks, update to patched versions of pfBlockerNG, and follow secure coding practices for resource access restrictions.

5. Is pfSense still recommended despite this vulnerability?

pfSense remains a powerful open-source firewall, but organizations should apply security updates promptly, monitor for vulnerabilities, and conduct regular security assessments.