┴┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┴
│ Exploit Title: pfSense <= 2.0.1 XSS & CSRF during IPSec XAuth authentication
│ Date: 04/01/2013
│ Author: Dimitris Strevinas
│ Vendor or Software Link: www.pfsense.org
│ Version: <= 2.0.1
│ Category: Semi-Persistent XSS & CSRF
│ Google dork:
│ Tested on: FreeBSD
┬┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┬
pfSense UTM distribution description
┌────────────────────────────────────┘
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus.
[source: www.pfsense.org]
The IPSec VPN functionality on pfSense is implemented using the Racoon vpn concentrator software.
Vulnerability Summary
┌──────────────────────┘
pfSense versions 2.0.1 and prior are vulnerable to semi-persistent XSS and CSRF attack vectors, exploited by sending Javascript/HTML code as a username during the XAuth user authentication phase.
XAUTH provides extended authentication for IPSec telecommuters by using authentication schemes such as RADIUS or internal user databases. [source: www.ciscopress.org]
The vulnarability lies in diag_logs_ipsec.php which does not properly escape HTML characters in the Racoon log files.
It is assumed that the attacker has successfully completed IPSEC Phase 1 and Phase 2 based on one of the following schemes:
. Mutual RSA
. Mutual PSK
. Hybrid RSA
It should also be noted that newer pfSense version use CSRF-magic on the majority of Web GUI forms, thus the CSRF exploitation likelihood is minimized at least in the standard installation.
Exploit Path
┌─────────────┘
1) Perform the Phase 1 and Phase 2 using a VPN Client and known credentials/certificates
2) During the XAuth provide a username like "><script>alert("XSS")</script> and a random password
3) The reflection of the XSS/CSRF is in the logs under Status > System Logs > IPSec
The XSS "time-to-live" depends on the Racoon logging verbosity, max number of log lines and vpn activity. Nevertheless, it can be resubmitted to be shown again on top.
Solution
┌─────────┘
Patch available by vendor, streamlined to 2.1
URL: http://redmine.pfsense.org/projects/pfsense-tools/repository/revisions/0675bde3039a94ee2cadc360875095b797af018f
Credits & Contact
┌──────────────────┘
Dimitris Strevinas
Obrela Security Industries
CONTACT: www.obrela.com
