PFsense UTM Platform 2.0.1 XSS

Title: pfSense <= 2.0.1 XSS & CSRF during IPSec XAuth authentication Author: Dimitris Strevinas official website www.pfsense.org affected versions: <= 2.0.1 type: semi-Persistent XSS & CSRF test platform FreeBSD pfSense UTM distribution pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. in addition to being a powerful, flexible firewalling and routing platform, it should des a long list of related features and a package system allowing further expandability without adding bloat and potential security limit to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large configurations, universities and other organizations protecting thousands of network devices. this project startedin 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus. [source: www.pfsense.org] The IPSec VPN functionality on pfSense is implemented using the Racoon vpn concentrator software. defect Summary: pfSense versions 2.0.1 and prior are vulnerable to semi-persistent XSS and CSRF attack vectors, exploited by sending Javascript/HTML code as a username during the XAuth user authentication phase. XAUTH provides extended authentication for IPSec telecommuters by using authentication schemes such as RADIUS or internal user databases. [source: www.ciscopress.org] The vulnarability lies in diag_logs_ipsec.php which does not properly escape HTML characters in the Racoon log files. it is assumed that the attacker has successfully completed IPSEC Phase 1 and Phase 2 based on one of the following schemes :. mutual RSA. mutual PSK. hybrid RSA It shoshould also be noted that newer pfSense version use CSRF-magic on the majority of Web GUI forms, thus the CSRF exploitation likelihood is minimized at least in the standard installation. patch 1) Perform the Phase 1 and Phase 2 using a VPN Client and known credentials/certificates 2) During the XAuth provide a username like "> <script> alert (" XSS ") </script> and a random password 3) the reflection of the XSS/CSRF is in the logs under Status> System Logs> IPSec The XSS "time-to-live" depends on the Racoon logging verbosity, max number of log lines and vpn activity. nevertheless, it can be resubmitted to be shown again on top. solution: Patch available by vendor, streamlined to 2.1 URL: http://redmine.pfsense.org/projects/pfsense-tools/repository/revisions/0675bde3039a94ee2cadc360875095b797af018f