Bug #15839: ``diag_packet_capture.php`` uses ``viewdetail`` and ``viewtype`` values in command execution without validation or encoding - pfSense - pfSense bugtracker

Actions

Copy link

Bug #15839

closed

``diag_packet_capture.php`` uses ``viewdetail`` and ``viewtype`` values in command execution without validation or encoding

Added by James Kim 10 months ago. Updated 10 months ago.

Status:

Rejected

Priority:

Normal

Assignee:

Jim Pingle

Category:

Packet Capture

Target version:

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

I. Problem Description

A potential authenticated arbitrary command execution vulnerability was found in
diag_packet_capture.php, a component of the pfSense Plus and pfSense CE software GUI.

When performing a packet capture on packet_capture.php, the submitted POST
"viewdetail" or "viewtype" values are not validated. Subsequently, the submitted values
are used in shell commands.

This problem is present on the latest version of pfSense Plus, pfSense CE.

II. Impact

Due to a lack of escaping on commands in the functions being called, it is
possible to execute arbitrary commands with a properly formatted submission
value for "viewdetail" or “viewtype" in POST operations.

The user must be logged in and have sufficient privileges to access
either packet_capture.php.

III. Patch

This vulnerability can be protected by utilizing function escapeshellarg on line 761 of file diag_packet_capture.php

761 $plog_file_current = $pcap_files_root . '/packetcapture-'. $input_viewdetail . (empty($cmd_part_lookup) ? '' : '-lookup') . (empty($cmd_part_viewtype) ? '' : '-' . $input_viewtype) . $pcap_file_suffix . '.plog';

+761 $plog_file_current = $pcap_files_root . '/packetcapture-'. escapeshellarg($input_viewdetail) . (empty($cmd_part_lookup) ? '' : '-lookup') . (empty($cmd_part_viewtype) ? '' : '-' . escapeshellarg($input_viewtype)) . $pcap_file_suffix . '.plog';

Actions

Copy link

Updated by James Kim 10 months ago

Category is not Authentication, Packet Capture is proper.

Actions

Copy link

Updated by Jim Pingle 10 months ago

Category changed from Authentication to Packet Capture
Status changed from New to Feedback
Assignee set to Jim Pingle

In the future, please submit security concerns privately via the process documented at https://www.netgate.com/security -- Keeping public for now since it was submitted publicly, but these matters should be handled via proper disclosure procedures and not posted publicly.

Have you actually been able to execute a command the way you describe or are you only stating it's vulnerable by looking at the source code?

Those values are validated before use, but they revert to default values for invalid input rather than printing an error. I have tried numerous methods and have not yet been successful with any attempt at bypassing the validation. If you have managed to execute commands through those variables I am interested in your specific values and methods.

See source:src/usr/local/www/diag_packet_capture.php#L687 the blocks from around line 687-758 handle both viewdetail and viewtype -- each are matched against specific valid strings and if none are matched, the value of $input_viewdetail and/or $input_viewtype are replaced by a specific valid default value. So while those variables are not run through escapeshellarg() before use in a shell command, they are always known values from specific lists of valid strings. Neither allows arbitrary user input.

Actions

Copy link

Updated by James Kim 10 months ago

In the future, I will report new security concerns through the link.

As you mentioned, arbitrary inputs are replaced by switch default and are safe. I apologize for taking up your time by not submitting it after more careful consideration.

Actions

Copy link