标题: pfSense <= 2.0.1 XSS & CSRF during IPSec XAuth authentication
作者: Dimitris Strevinas
官网 HdhCmsTestpfsense.org
影响版本: <= 2.0.1
类型: Semi-Persistent XSS & CSRF
测试平台 FreeBSD
pfSense UTM distribution 介绍
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus.
[source: HdhCmsTestpfsense.org]
The IPSec VPN functionality on pfSense is implemented using the Racoon vpn concentrator software.
缺陷摘要:
pfSense versions 2.0.1 and prior are vulnerable to semi-persistent XSS and CSRF attack vectors, exploited by sending Java script/HTML code as a username during the XAuth user authentication phase.
XAUTH provides extended authentication for IPSec telecommuters by using authentication schemes such as RADIUS or internal user databases. [source: HdhCmsTestciscopress.org]
The vulnarability lies in diag_logs_ipsec.php which does not properly escape HTML characters in the Racoon log files.
It is assumed that the attacker has successfully completed IPSEC Phase 1 and Phase 2 based on one of the following schemes:
. Mutual RSA
. Mutual PSK
. Hybrid RSA
It should also be noted that newer pfSense version use CSRF-magic on the majority of Web GUI forms, thus the CSRF exploitation likelihood is minimized at least in the standard installation.
利用补丁
1) Perform the Phase 1 and Phase 2 using a VPN Client and known credentials/certificates
2) During the XAuth provide a username like "><script>alert("XSS")</script> and a random password
3) The reflection of the XSS/CSRF is in the logs under Status > System Logs > IPSec
The XSS "time-to-live" depends on the Racoon logging verbosity, max number of log lines and vpn activity. Nevertheless, it can be resubmitted to be shown again on top.
解决方案:
Patch available by vendor, streamlined to 2.1
URL: http://redmine.pfsense.org/projects/pfsense-tools/repository/revisions/0675bde3039a94ee2cadc360875095b797af018f
查看更多关于PFsense UTM Platform 2.0.1 XSS - 网站安全 - 自学php的详细内容...