标题: pfSense <= 2.0.1 XSS & CSRF during IPSec XAuth authentication  

作者： Dimitris Strevinas  

官网 www.pfsense.org  

影响版本: <= 2.0.1  

类型: Semi-Persistent XSS & CSRF  

测试平台 FreeBSD  

 

 

 pfSense UTM distribution 介绍

 

  pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.   

 

 This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus.   

 

 [source: www.pfsense.org]  

 

 The IPSec VPN functionality on pfSense is implemented using the Racoon vpn concentrator software.  

 

   缺陷摘要：

 

 pfSense versions 2.0.1 and prior are vulnerable to semi-persistent XSS and CSRF attack vectors, exploited by sending Javascript/HTML code as a username during the XAuth user authentication phase.   

 

 XAUTH provides extended authentication for IPSec telecommuters by using authentication schemes such as RADIUS or internal user databases. [source: www.ciscopress.org]  

 

 The vulnarability lies in diag_logs_ipsec.php which does not properly escape HTML characters in the Racoon log files.  

 

 It is assumed that the attacker has successfully completed IPSEC Phase 1 and Phase 2 based on one of the following schemes:  

 

    . Mutual RSA  

 

    . Mutual PSK  

 

    . Hybrid RSA  

 

 It should also be noted that newer pfSense version use CSRF-magic on the majority of Web GUI forms, thus the CSRF exploitation likelihood is minimized at least in the standard installation.  

 

   

 

   

 

利用补丁

 1) Perform the Phase 1 and Phase 2 using a VPN Client and known credentials/certificates  

 

 2) During the XAuth provide a username like "><script>alert("XSS")</script> and a random password  

 

 3) The reflection of the XSS/CSRF is in the logs under Status > System Logs > IPSec  

 

 The XSS "time-to-live" depends on the Racoon logging verbosity, max number of log lines and vpn activity. Nevertheless, it can be resubmitted to be shown again on top.  

 

   解决方案：

 

 Patch available by vendor, streamlined to 2.1  

 

 URL: http://redmine.pfsense.org/projects/pfsense-tools/repository/revisions/0675bde3039a94ee2cadc360875095b797af018f