CVE-2019-16701
published 2019-09-25CVE-2019-16701: pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters…
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.61%
97.0th percentile
pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgate | pfsense | — | — |
| netgate | pfsense | >= 2.3.4 < 2.4.4 | 2.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to /xmlrpc.php containing a methodCall body with 'pfsense.exec_php' or 'pfsense.exec_shell' method names, especially those including shell metacharacters or exec() calls in parameter values. ↗
- →Alert on HTTP POST to /xmlrpc.php where the body contains the string 'exec_php' or 'exec_shell' alongside PHP exec() or eval() payloads. ↗
- →Look for HTTP GET requests to newly created random-named .php files under the pfSense web root immediately following a POST to /xmlrpc.php, with a '?cmd=' query parameter indicating webshell interaction. ↗
- →Flag any XMLRPC authentication attempts to /xmlrpc.php from external/untrusted IPs, as the exploit requires valid credentials (uid=0 or xmlrpc-ha-sync privilege) and probes with pfsense.host_firmware_version before executing the payload. ↗
- ·Exploitation requires valid credentials (admin uid=0 or a user with the 'system-xmlrpc-ha-sync' privilege); unauthenticated exploitation is not possible. Detection rules should account for authenticated sessions. ↗
- ·The exploit drops a webshell with a 32-character alphanumeric random filename, making static filename-based blocking ineffective; pattern-based detection on the directory and file extension is required. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154587/pfSense-2.3.4-2.4.4-p3-Remote-Code-Injection.htmlhttps://github.com/pfsense/pfsense/commits/masterhttps://hackernews.blog/pfsense-2-3-4-2-4-4-p3-remote-code-injection/#morehttp://packetstormsecurity.com/files/154587/pfSense-2.3.4-2.4.4-p3-Remote-Code-Injection.htmlhttps://github.com/pfsense/pfsense/commits/masterhttps://hackernews.blog/pfsense-2-3-4-2-4-4-p3-remote-code-injection/#more
2019-09-25
Published