CVE-2023-27253
published 2023-03-17CVE-2023-27253: A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via…
PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
90.66%
99.8th percentile
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgate | pfsense | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /diag_backup.php with multipart/form-data containing restorearea=rrddata and a conffile upload — this is the specific endpoint and parameter combination used to trigger the injection. ↗
- →Inspect uploaded XML config files (conffile field) for shell metacharacters such as single quotes and semicolons embedded in RRD filename fields, e.g. patterns like <filename>...rrd';...;</filename>. ↗
- →Detect use of ${IFS} as a space substitute in uploaded XML content, which is used to bypass bad-character filtering on the slash and quote characters. ↗
- →Alert on pfSense processes spawning unexpected child processes as root following a restore operation via diag_backup.php — the exploit executes OS commands as the 'root' user. ↗
- →Look for uploaded XML filenames matching the pattern rrddata-config-pfSense.home.arpa-<14 alphanumeric chars>.xml in web server logs, which is the filename template used by the Metasploit module. ↗
- ·The vulnerability affects pfSense versions prior to 2.7.0; the Metasploit module was specifically tested on 2.6.0-RELEASE. Exploitation requires the attacker to be authenticated with the 'WebCfg - Diagnostics: Backup & Restore' privilege. ↗
- ·The payload bad characters are 0x2F (forward slash '/') and 0x27 (single quote "'"), requiring encoding/substitution (e.g. ${IFS} for spaces) — detection rules should account for these obfuscation techniques. ↗
- ·The exploit notes IOC_IN_LOGS as a side effect, meaning evidence of exploitation should appear in pfSense web server/application logs, making log review a viable detection method. ↗
- ·The exploit also produces CONFIG_CHANGES as a side effect — the restore operation modifies the running configuration, so unexpected configuration changes on pfSense appliances should be investigated. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
pfSense v2.7.0 - OS Command Injection
exploitdb·2023-07-20·CVSS 8.8
CVE-2023-27253 [HIGH] pfSense v2.7.0 - OS Command Injection
pfSense v2.7.0 - OS Command Injection
---
# Exploit Title: pfSense v2.7.0 - OS Command Injection
#Exploit Author: Emir Polat
# CVE-ID : CVE-2023-27253
class MetasploitModule 'pfSense Restore RRD Data Command Injection',
'Description' => %q{
This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of
pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore"
privilege to execute arbitrary operating system commands as the "root" user.
This module has been tested successfully on version 2.6.0-RELEASE.
},
'License' => MSF_LICENSE,
'Author' => [
'Emir Polat', # vulnerability discovery & metasploit module
],
'References' => [
['CVE', '2023-27253'],
['URL', 'https://redmine.pfsense.org
Metasploit
pfSense Restore RRD Data Command Injection
metasploit
pfSense Restore RRD Data Command Injection
pfSense Restore RRD Data Command Injection
This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore" privilege to execute arbitrary operating system commands as the "root" user. This module has been tested successfully on version 2.6.0-RELEASE.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.htmlhttps://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94https://redmine.pfsense.org/issues/13935http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.htmlhttps://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94https://redmine.pfsense.org/issues/13935
2023-03-17
Published