-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-16_07.webgui Security Advisory pfSense Topic: Arbitrary Code Execution Category: pfSense Base System Module: webgui Announced: 2016-06-09 Credits: Patrick Ungeheuer Affects: pfSense <= 2.3.1_1 Corrected: 2016-06-08 23:02:26 UTC (pfSense/master, pfSense 2.4) 2016-06-08 22:50:12 UTC (pfSense/RELENG_2_3, pfSense 2.3.x) 2016-06-08 23:03:52 UTC (pfSense/RELENG_2_3_1, pfSense 2.3.1_x) 0. Revision History v1.0 2016-06-09 Initial release I. Background The pfSense® system is a free network firewall distribution based on the FreeBSD operating system. The pfSense system includes third-party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A command-injection vulnerability exists in pkg_mgr_install.php using the 'id' parameter. This allows an authenticated WebGUI user with privileges for pkg_mgr_install.php to execute commands in the context of the root user. III. Impact A user on pfSense version 2.3.1_1 or earlier, granted limited access to the pfSense web configurator GUI including access to pkg_mgr_install.php could leverage these vulnerabilities to gain increased privileges, read other files, execute commands, or perform other alterations. Some characters, such as '/' and '-' were filtered, which limits the number of commands which could be executed using this vulnerability. This is not relevant for admin-level users as there are other deliberate means by which an administrator could run commands. IV. Workaround The issue can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the pages in question. V. Solution Upgrade to pfSense 2.3.1_5. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 56218db2d33edb4280c88f1688c07e9d02ce6546 d85e29b74bda133a0704bd7ee9fb493dc7095268 ddbe2c0cd9d283d8f6ecc65ffbdc5417f66d63b7 af0a2a755f31e38cc7f92e11f35c77f4b202fe36 5b216d25f9db6e4b07a7ccd0a664de46038a6175 5fd5f7e78d671963672fd813182a3f2aefad3bbc a915cb4cbef79a9197e2007326ba8f83fa101f12 c078dd89d4ec787e9e4d17123274072fbb1f9e0d 756ef4dfff6ddedfc5d6dc462b76192858c22d03 pfSense/RELENG_2_3 3b5af71265548616dcd96ce5f2c5346c007c61c1 689c4eb8271c38d03de6f4d556dc21ec4e48924d a42bea4a2cfc8b5792ebbc208c6b8237c342d05c 12e90cdca643cb48de1cc386d7a575480ca08b69 a6885d24c9b75a76a4d165c62b7d6c820a00a98a 88689d028924a2eb1c923a70d5460ad35ed9c7c1 0067c9a75095d9010d47b580f2798dc3029c7add 1a6fc86d35b7d9d43d79a0125980ac83f6232fa0 c87deb1ab570ef0488e01a0ea29b01146c0d7758 pfSense/RELENG_2_3_1 7e1f301e21ebbf86b119a4b32ef72d2059cde961 d38ccd2bc5df7403a32ab0dc87741838c0f8c587 b926fb222ccbea2948c1ef89b110366d6a469449 6f5cef535fbddafcc8cc60b810b5854bf43c55e2 8b769240b4ed2991a58702c86706814079d2bc08 3187d056a2175180b4d22d0502a3ac2c0c1c37ae 1cdaa0dd5654edd3979163010f4e78756b2d9da9 78fd804cb8496acd6a08245627b5a682a3e280cd 9fd4b658857a14cfddf25141acaac89a4d6e9927 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXYyj/AAoJEBO5h/2SFPjajm8P/2Y9hHcHPXkk4AM4sJtsQruq 8qh/FYjXVeTl9RmjsHC/y/4LX73l1c1VCHujakUto17WQkNKfT6fFbJ3KM43lQBi ZKbFtG4j1XrXZ9xPs9ThbAUnDkxtsqa2LEBzvj9jhBn0iuu4Z83bC3atX+CP+AVI VXf8eQQTfvMkw5bZ8gifC6lURbQ+0VliENosApzBO5Laj2PyJDY7pDp/iMryrHFw YrIPMpMctmhcHNBdUEsxXZ6Gg1n3iCk0AYZp/cboLAllAVc38e5qeMt1y+43Mtn0 N3EXfTtoobH2jG8Z1xnOHBP4b895N12z572d4KwwL8QxHuDqJUYP/CmbvDaNaai8 17tV3J7MlfoAQXyXNwABkydhW1OIjSuNH9Wljr1mXMAUGaFFIFK/+WVINu+mN/DL fPMhMMINaLG7tpHOsizNvbx11cIaFoVA0lZcPpZXJ/QdBjF3EQgNhkHyh2CDu/9g aNNiBZVzYtYJhPminr5WNPevGuln0m+bzHXpHHw28wCv1awefaIznjmzbnZ78WZX /jZWsNRhGzhDk3uX8F75VFC/6EqlP5qaiBLdL8WtlezqwMVpwlf7FezlGiVgDuBn yayS2eH3MDIW8VeURZMP9q07d62/psmvW/N3gdacKpddpZnNSQ1sKsVn5Ew5PbHf q8ybbc7FrACBU6WymfnB =Kxr+ -----END PGP SIGNATURE-----