pfSense

I. Problem Description

A potential authenticated arbitrary command execution vulnerability was found in
diag_packet_capture.php, a component of the pfSense Plus and pfSense CE software GUI.

When performing a packet capture on packet_capture.php, the submitted POST
"viewdetail" or "viewtype" values are not validated. Subsequently, the submitted values
are used in shell commands.

This problem is present on the latest version of pfSense Plus, pfSense CE.

II. Impact

Due to a lack of escaping on commands in the functions being called, it is
possible to execute arbitrary commands with a properly formatted submission
value for "viewdetail" or “viewtype" in POST operations.

The user must be logged in and have sufficient privileges to access
either packet_capture.php.

III. Patch

This vulnerability can be protected by utilizing function escapeshellarg on line 761 of file diag_packet_capture.php

761 $plog_file_current = $pcap_files_root . '/packetcapture-'. $input_viewdetail . (empty($cmd_part_lookup) ? '' : '-lookup') . (empty($cmd_part_viewtype) ? '' : '-' . $input_viewtype) . $pcap_file_suffix . '.plog';

+761 $plog_file_current = $pcap_files_root . '/packetcapture-'. escapeshellarg($input_viewdetail) . (empty($cmd_part_lookup) ? '' : '-lookup') . (empty($cmd_part_viewtype) ? '' : '-' . escapeshellarg($input_viewtype)) . $pcap_file_suffix . '.plog';