Bug #8153: Post-auth RCE in cert_get_publickey() from certs.inc, used in system_camanager.php and system_certmanager.php - pfSense - pfSense bugtracker

Actions

Copy link

Bug #8153

closed

Post-auth RCE in cert_get_publickey() from certs.inc, used in system_camanager.php and system_certmanager.php

Added by Jim Pingle almost 7 years ago. Updated almost 7 years ago.

Status:

Resolved

Priority:

Urgent

Assignee:

Jim Pingle

Category:

Certificates

Target version:

2.4.2-p1

Start date:

12/01/2017

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

Description

cert_get_publickey() in source:src/etc/inc/certs.inc takes user input and uses it in a shell command without encoding, allowing a user to pass malicious input through system_camanager.php and system_certmanager.php during the import process via the cert and key fields.

This requires that the user be logged in and have access to system_camanager.php or system_certmanager.php

Affects 2.3.x in cert_get_modulus() which uses a similar operation, but only happens in system_certmanager.php when editing an existing CSR.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #8153

Post-auth RCE in cert_get_publickey() from certs.inc, used in system_camanager.php and system_certmanager.php

Updated by Jim Pingle almost 7 years ago

Updated by Jim Pingle almost 7 years ago

Updated by Jim Pingle almost 7 years ago

Updated by Jim Pingle almost 7 years ago