-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-14_08.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Arbitrary Code Execution

Category:       pfSense Base System
Module:         webgui
Announced:      2014-06-06
Credits:        Peter van Dijk
Affects:        pfSense <= 2.1.3
Corrected:      2014-06-06 14:48:05 UTC (pfsense/master)
                2014-06-06 14:54:05 UTC (pfsense/RELENG_2_1, pfSense 2.1.4)

0.   Revision History

v1.0  2014-06-06 Initial release.

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls,
and much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any
rule sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the
web interface. Users unfamiliar with commercial-grade firewalls may
encounter a short learning curve.

II.  Problem Description

A command-injection vulnerability exists in status_services.php. This allows
authenticated WebGUI users with privileges for status_services.php to
execute commands in the context of the root user.

A logged-in user could also be deceived into loading a specially-crafted
URL, permitting a command supplied by a remote attacker to be executed.

III. Impact

A user granted limited access to the pfSense web GUI including access to
status_services.php via the "WebCfg - Firewall: Status: Services"
permission, could leverage this vulnerability to gain increased privileges,
read arbitrary files, execute commands, or perform other alterations.

Because the parameter in question is passed by GET, it can bypass other
protections and be triggered via a malicious iframe or other, similarly
styled attack. This attack vector is viable only if the administrator is
logged into the firewall while loading the malicious page in the same
browser and the remote attacker can guess, or otherwise obtain the local IP
address or hostname of the firewall.

IV.  Workaround

The issues may be mitigated by restricting access to the firewall GUI both
with firewall rules and by not allowing untrusted users to have accounts
with GUI access.

The risk of such attacks being triggered remotely may also be lowered by not
using the same web browser process for firewall management and general
browsing. Additionally, using an uncommon firewall hostname and IP
addressing scheme lowers the risk of a successful attack from a source with
no knowledge of the target network.

V.   Solution

Perform one of the following:

1) Upgrade to pfSense 2.1.4 upon its release. This may be performed in the
   web interface or from the console.
   See https://doc.pfsense.org/index.php/Upgrade_Guide

2) To update a vulnerable system via a source code patch:

Apply following changes manually or by using the System Patches package
https://github.com/pfsense/pfsense/commit/cbf16c3020be196a8d3798761bda0b545a6bca3d
https://github.com/pfsense/pfsense/commit/4cc342453cce69fc8da06ff22bbe79aadb7bd4df
https://github.com/pfsense/pfsense/commit/ad03afb62ab39cad2614ae4226a6444b6f3b569d

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     2f9951fe0e401ed231d61b8c3ad75531a6dbb797
pfSense/RELENG_2_1                 cbf16c3020be196a8d3798761bda0b545a6bca3d
                                   4cc342453cce69fc8da06ff22bbe79aadb7bd4df
                                   ad03afb62ab39cad2614ae4226a6444b6f3b569d
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-14_08.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTqwcAAAoJEBO5h/2SFPja3LQP/iH/CgFo+Id3tJegqMFhysyY
ufOeivP9lbeRaUsqy+HQemZFHQm7x0TPqYbRovv15Wm8gz51C60ZWiY96+P0Lbir
EBUE129ICnWyLpy8/duDSqiOKsqvPTuJyepg4LGdZlnD+04MryVgcPUOTER1Zwgt
2xOc7WdxnUnfP+KdhSBlpVsbFIRSGiawjg2IEWxJUVL5CL03TwIKAMiGlywvjhOj
NWlETF7dVJJYfZJ/jh/qxolUTK9vtpDWIl31acsC7QRXIpFz5tc/evHn/iQlgpFu
M8vPw7PliMhepDqs4BxEz/yulQSRsk9NOYJO9YJpYAmtDoMhGHupi3vy6UHpIPRb
jZzFrLvaLcXxSv+dI5rR/KQdydrEy4aSLGERH0hxI2QqA3YxMacgq5/DIdzdEVxc
9ush4x0kbg5nLgFhWJJmam6IiLrud64IEznyZDQRzNPRlJQwcFhOqkJmn/iFDVA5
B9QXMEUUDWQ4njdd03AXKuLGb/j0UrYA3srreLsY0GZn7/De3iEJN0SJmAjo3oI5
L9ii6w2XU2EZsMGC6SXQPjnfAXWochsYKxaqM7WpygVcPvGPaYnPyHlz03KArvqo
b/OLZ6/DWGv2jcQbjXp5dVOkA3kraYTP1VZHl2jpuGUZIkRbGod9lFnzEEHo9kWL
9aoGzXmbbjy3lJXNvauO
=aGZp
-----END PGP SIGNATURE-----