In this article we'll present the CVE-2014-4689 vulnerability existing in pfSense version <= 2.1.3. In later versions of pfSense, the vulnerabilities have been successfully remediated and are no longer present. You should also read the previous articles about PfSense vulnerabilities at the following locations:

LFI vulnerability allows including XML files

If we click on the "UPnP & NAT-PMP" in menu, the following request is sent to the server, where the GET parameter xml contains the XML to be read and presented to the user. The second part of the URL incorrectly uses the id GET parameter, which should be written as such. "/pkg_edit.php?xml=miniupnpd.xml&id=0". Since the & is converted to amp the GET parameter actually taken into account is actually ampid instead of just id.

Figure 1: A request containing vulnerable xml GET parameter

GET parameter xml is vulnerable, because we can include any XML into the process flow. The vulnerable code is contained in the /usr/local/www/pkg_edit.php, which contains the following.

$xml = htmlspecialchars($_GET['xml']); if($_POST['xml']) $xml = htmlspecialchars($_POST['xml']); if($xml == "") { print_info_box_np(gettext("ERROR: No package defined.")); die; } else { $pkg = parse_xml_config_pkg("/usr/local/pkg/" . $xml, packagegui"); }

Note that the code first converts the special characters into HTML entities: &, ", "'", < and > into amp, quot, #039, lt and gt. Then the code checks whether the GET/POST parameter xml is empty and prints the error message if it is. Otherwise, it concatenates the /usr/local/pkg/ string with the inputted xml parameter, which is vulnerable to path traversal. We copied the miniupnpd.xml from /usr/local/pkg/ directory into file aaa.xml into /usr/local/openssl/ directory with the following command.

# cp /usr/local/pkg/miniupnpd.xml /usr/local/openssl/aaa.xml

Then we requested the aaa.xml file by passing the "../openssl/aaa.xml" in the value of GET parameter xml. The whole request can be seen below.

Figure 2: A request accessing aaa.xml

The response on the request is shown below, where it's clearly presented that we were able to access the aaa.xml without any problems.

Figure 3: Accessed aaa.xml

Arbitrary XML file can be read from the filesystem. In order to fix the issue, the code pkg_edit.php script needs to check whether a directory traversal is in place and block it. If directory traversal should be allowed, because XMLs are located throughout the filesystem, a whilelist approach needs to be implemented, so only XMLs from predefined trusted locations can be read.