The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
pfSense 2.3.1-RELEASE-p1 Squid 0.4.16_2 XSS / Log ManipulationI. VULNERABILITY
- -------------------------
Multiple vulnerabilities in squid 0.4.16_2 running on pfSense
Version 2.3.1-RELEASE-p1
II. BACKGROUND
- -------------------------
The pfSense project is a free network firewall distribution, based on the
FreeBSD operating system, with a custom kernel and an array of third-party
free software packages that can be installed for additional functionality.
Through this package system pfSense software is able to provide most of
the functionality of common commercial firewalls, and many times more.
III. DESCRIPTION
- -------------------------
In pfSense, it is possible to configure a third-party package, Squid, to
act as a transparent HTTP proxy. This package uses clamd as an AV
solution.
If clamd detects a piece of malware in one of the proxied requests, the
request is blocked and the user is redirected to the following URL
instead:
https://10.10.10.1/squid_clwarn.php?url=http://www.eicar.org/download/eicar.com&source=10.10.10.100&user=-&virus=stream:%20Eicar-TestSignature%20FOUND
Upon inspection of the source code of the Squid package, the file
"squid_clwarn.php" appears to contain several vulnerabilities.
At the start of the file we see that various HTTP GET parameters are
loaded into local variables through the $_REQUEST superglobal:
==========================================================================
$url = $_REQUEST['url'];
$virus = ($_REQUEST['virus'] ? $_REQUEST['virus'] : $_REQUEST['malware']);
$source = preg_replace("@/-@", "", $_REQUEST['source']);
$user = $_REQUEST['user'];
==========================================================================
These variables are later rendered directly into HTML output, without any
form of escaping, thus resulting in a reflected XSS vulnerability.
Proof of Concept:
https://10.10.10.1/squid_clwarn.php?url=xyz&source=xyz&user=&virus=stream:<script>alert('xss')</script>
The information sent in this HTTP GET request is also saved to a log file:
==========================================================================
error_log(date("Y-m-d H:i:s") . " | VIRUS FOUND | " . $virus . " | " .
$url . " | " . $source . " | " . $user . "\n", 3,
"/var/log/c-icap/virus.log");
==========================================================================
An administrator who looks at the logs through the pfSense web-GUI, at
"squid-monitor.php", will be open to a stored XSS vulnerability, because
the variables are rendered directly into HTML output, without proper
escaping:
Finally, there is no authentication present in the "squid_clwarn.php"
file, resulting in possible log manipulation attacks. For example,
requesting the following URL will result in an empty log entry being
added.
Proof of Concept:
https://10.10.10.1/squid_clwarn.php?url=%0A|||||
IV. BUSINESS IMPACT
- -------------------------
An attacker can execute arbitrary JavaScript code in a targeted
user's browser, as well as any administrators viewing the log files
through the pfSense web-GUI.
V. SYSTEMS AFFECTED
- -------------------------
Tested on:
2.3.1-RELEASE-p1 (amd64)
built on Wed May 25 14:53:06 CDT 2016
FreeBSD 10.3-RELEASE-p3
With:
squid 0.4.16_2
VI. SOLUTION
- -------------------------
Upgrade squid to version 0.4.18.
VII. REVISION HISTORY
- -------------------------
June 10, 2016: Initial release
VIII. DISCLOSURE TIMELINE
- -------------------------
June 7, 2016: Vulnerability discovered by Remco Sprooten
June 7, 2016: Contacted vendor
June 7, 2016: Vendor confirmed the vulnerability
June 7, 2016: Vendor fixed the XSS vulnerabilities
June 8, 2016: Vendor updated to fix to prevent false log entries
June 16, 2016: Vendor released a SA:
https://www.pfsense.org/security/advisories/pfSense-SA-16_06.squid.asc
June 17, 2016: Sent to lists
IX. REFERENCES
- -------------------------
Devel (pfSense 2.4 packages):
https://github.com/pfsense/FreeBSD-ports/commit/e99ba5ea416690285a4ab3e094c4b2c0fb20c735
https://github.com/pfsense/FreeBSD-ports/commit/442b7dd6b6e3ff8976f88ab1f168d365cdebe520
RELENG_2_3_1 (pfSense 2.3.1_x packages):
https://github.com/pfsense/FreeBSD-ports/commit/e2a02e3773f33d0bd9f450ffb0d9cfd7215791b8
https://github.com/pfsense/FreeBSD-ports/commit/408eb385c5696a271945226bb10c77dc2231793c
RELENG_2_3 (pfsense 2.3.2 packages):
https://github.com/pfsense/FreeBSD-ports/commit/90bcaee8d8315e4026e2afed2ea7c6fdd55ffd20
https://github.com/pfsense/FreeBSD-ports/commit/d581d14a7a88027655719c8ad3f9bed7c2f7585f
RELENG_2_3_0 (pfSense 2.3_x packages):
https://github.com/pfsense/FreeBSD-ports/commit/e82ef1c5b43ab4fd1117966d0de881655958f1f3
https://github.com/pfsense/FreeBSD-ports/commit/b301844cadcb2887c788be38eadc9b50ea5b8d52
X. LEGAL NOTICES
- -------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XI. ABOUT
- -------------------------
Remco Sprooten
Security Consultant
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum