Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote Code Execution in pfSense <= 2.5.2

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 5 Posters 1.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BismarckB Offline
      Bismarck
      last edited by Bismarck

      Source: Shielder / Reddit

      Remediation

      Upgrade pfSense CE to version 2.6.0 or pfSense Plus to version 22.01.

      or

      If you can't update to 2.6.0 at the Moment, you still can apply the security fix to 2.5.2 with the Patches package.

      1. Install Patches package via System > Package Manager > Available Packages 1. (set Update Branch to 2.5.2!)
      2. or via Command line: "pkg add -f https://firmware.netgate.com/pkg/pfSense_plus-v21_05_1_amd64-pfSense_plus_v21_05_1/All/pfSense-pkg-System_Patches-1.2_6.txz"
      3. Go to System > Patches > "+ Add New Patch"
      4. Description = 1. Fixes #12257
      5. URL/Commit ID = https://github.com/pfsense/pfsense/commit/72ea2b69cc111d4bc8ebf1ccf1e1529923c5b88a
      6. Save
      7. "+ Add New Patch"
      8. Description = 2. Fixes #12257
      9. URL/Commit ID = https://github.com/pfsense/pfsense/commit/57a737f172b7baaa6ae0f23e8aef2f93ad851054
      10. Save
      11. "+ Add New Patch"
      12. Description = 3. Fixes #12257
      13. URL/Commit ID = https://github.com/pfsense/pfsense/commit/8cd3f92f2443a6f0e4b7964a9532f761f808a0c6
      14. Save
      15. "+ Add New Patch"
      16. Description = 4. Fixes #12257
      17. URL/Commit ID = https://github.com/pfsense/pfsense/commit/cf757a8094762ede47861fc073eaba06355c6bfc
      18. Save
      19. It should look like this https://imgur.com/a/1wsSjwV
      20. Now you can Apply the patches one by one in chronically order beginning with 1. Fixes #12257
      21. If needed you can reverse the patche the same beginning with 4. Fixes #12257

      Good luck.

      before
      c1ddb796-2122-4287-a95a-c2380156064d-image.png

      after
      23400a78-b0c2-4af6-b0e7-bbcd5b73e598-image.png

      1 Reply Last reply Reply Quote 1
      • Cool_CoronaC Offline
        Cool_Corona
        last edited by

        You cant do that since the 2.5.2 package repository doesnt exist anymore.

        BismarckB bingo600B 2 Replies Last reply Reply Quote 0
        • BismarckB Offline
          Bismarck @Cool_Corona
          last edited by Bismarck

          @cool_corona

          You can try:

          pkg add -f https://firmware.netgate.com/pkg/pfSense_plus-v21_05_1_amd64-pfSense_plus_v21_05_1/All/pfSense-pkg-System_Patches-1.2_6.txz
          

          (this is for amd64!)

          Or make your own from here

          https://github.com/pfsense/FreeBSD-ports/tree/devel/sysutils/pfSense-pkg-System_Patches

          @cool_corona said in Remote Code Execution in pfSense <= 2.5.2:

          You cant do that since the 2.5.2 package repository doesnt exist anymore.

          This

          Cool_CoronaC 1 Reply Last reply Reply Quote 0
          • Cool_CoronaC Offline
            Cool_Corona @Bismarck
            last edited by

            @bismarck That worked. Thanks.

            1 Reply Last reply Reply Quote 1
            • Cool_CoronaC Offline
              Cool_Corona
              last edited by

              Getting this error...

              /usr/bin/patch --directory=/ -t -p2 -i /var/patches/621750e928b24.patch --check --forward --ignore-whitespace

              Hmm... Looks like a unified diff to me...
              The text leading up to this was:

              |From cf757a8094762ede47861fc073eaba06355c6bfc Mon Sep 17 00:00:00 2001
              |From: jim-p
              |Date: Wed, 18 Aug 2021 16:11:11 -0400
              |Subject: [PATCH] Regex cleanup should also kill {}. Fixes #12257
              |
              |It's not used often (and less in the GUI) and can be a source of
              |problems with large numbers of repetitions even outside of grouped

              expressions.
              src/etc/inc/util.inc
              1 file changed, 3 insertions(+), 2 deletions(-)
              diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
              index f419e265d5b..2f63b7298e2 100644
              --- a/src/etc/inc/util.inc
              +++ b/src/etc/inc/util.inc

              Patching file etc/inc/util.inc using Plan A...
              No such line 3843 in input file, ignoring
              Ignoring previously applied (or reversed) patch.
              Hunk #1 ignored at 3817.
              1 out of 1 hunks ignored while patching etc/inc/util.inc
              done

              BismarckB 1 Reply Last reply Reply Quote 0
              • BismarckB Offline
                Bismarck @Cool_Corona
                last edited by

                @cool_corona

                So this ist patch no. 4? It should look like here and apply as the last one!

                7714a6d0-3db3-4ba6-9cd9-7584b2c80e2b-image.png

                Do always a Test before applying.

                Cool_CoronaC 1 Reply Last reply Reply Quote 0
                • Cool_CoronaC Offline
                  Cool_Corona @Bismarck
                  last edited by

                  @bismarck

                  #1

                  /usr/bin/patch --directory=/ -t -p2 -i /var/patches/62174f216a692.patch --check --forward --ignore-whitespace

                  Hmm... Looks like a unified diff to me...
                  The text leading up to this was:

                  |From 72ea2b69cc111d4bc8ebf1ccf1e1529923c5b88a Mon Sep 17 00:00:00 2001
                  |From: jim-p
                  |Date: Fri, 13 Aug 2021 13:46:12 -0400
                  |Subject: [PATCH] Change route collection and output. Fixes #12257
                  |
                  |All changes are on src/usr/local/www/diag_routes.php
                  |
                  |* Change problematic use of sed for an equivalent and safer use of tail
                  | (to remove headers) and grep (to filter output).
                  |* Restrict AJAX request to POST only
                  |* Increase update period from 5 to 15 seconds
                  |* Hardcode output headers, use gettext() and fix some column names
                  | and formatting
                  |* Fix route table sorting

                  * If the GET request has a value for "filter", pre-fill that in the form
                  src/usr/local/www/diag_routes.php
                  1 file changed, 33 insertions(+), 36 deletions(-)
                  diff --git a/src/usr/local/www/diag_routes.php b/src/usr/local/www/diag_routes.php
                  index 40eff33b43e..c0d059c6d79 100644
                  --- a/src/usr/local/www/diag_routes.php
                  +++ b/src/usr/local/www/diag_routes.php

                  Patching file usr/local/www/diag_routes.php using Plan A...
                  Ignoring previously applied (or reversed) patch.
                  Hunk #1 ignored at 35.
                  Hunk #2 ignored at 47.
                  Hunk #3 ignored at 101.
                  Hunk #4 ignored at 134.
                  Hunk #5 ignored at 141.
                  Hunk #6 ignored at 149.
                  Hunk #7 ignored at 166.
                  Hunk #8 ignored at 181.
                  Hunk #9 ignored at 205.
                  9 out of 9 hunks ignored while patching usr/local/www/diag_routes.php
                  done

                  #2

                  /usr/bin/patch --directory=/ -t -p2 -i /var/patches/62174f48d0b24.patch --check --forward --ignore-whitespace

                  Hmm... Looks like a unified diff to me...
                  The text leading up to this was:

                  |From 57a737f172b7baaa6ae0f23e8aef2f93ad851054 Mon Sep 17 00:00:00 2001
                  |From: jim-p
                  |Date: Mon, 16 Aug 2021 13:42:51 -0400
                  |Subject: [PATCH] More route display changes. Fixes #12257
                  |
                  |* Move escape_filter_regex() from syslog.inc to util.inc since it will
                  | be used by things other than syslog.
                  |* Add some basic regex sanity and consistency check functions
                  |* Cleanup diag_routes.php route filter before use
                  |* Ensure diag_routes.php route filter is not misinterpreted as grep command line
                  | paramters
                  |* Add warning to diag_routes.php that invalid filters will be ignored.

                  * Ensure diag_routes.php AJAX gets CSRF protection
                  src/etc/inc/syslog.inc
                  src/etc/inc/util.inc
                  src/usr/local/www/diag_routes.php
                  3 files changed, 71 insertions(+), 10 deletions(-)
                  diff --git a/src/etc/inc/syslog.inc b/src/etc/inc/syslog.inc
                  index 1a9a83e4e37..2e5d0818023 100644
                  --- a/src/etc/inc/syslog.inc
                  +++ b/src/etc/inc/syslog.inc

                  Patching file etc/inc/syslog.inc using Plan A...
                  Ignoring previously applied (or reversed) patch.
                  Hunk #1 ignored at 26.
                  Hunk #2 ignored at 864.
                  2 out of 2 hunks ignored while patching etc/inc/syslog.inc
                  Hmm... The next patch looks like a unified diff to me...
                  The text leading up to this was:

                  |diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
                  |index 332b690b80e..83ad1dc6336 100644
                  |--- a/src/etc/inc/util.inc

                  +++ b/src/etc/inc/util.inc
                  Patching file etc/inc/util.inc using Plan A...
                  Hunk #1 succeeded at 3779 with fuzz 1 (offset -2 lines).
                  Hmm... The next patch looks like a unified diff to me...
                  The text leading up to this was:

                  |diff --git a/src/usr/local/www/diag_routes.php b/src/usr/local/www/diag_routes.php
                  |index c0d059c6d79..409343046c2 100644
                  |--- a/src/usr/local/www/diag_routes.php

                  +++ b/src/usr/local/www/diag_routes.php
                  Patching file usr/local/www/diag_routes.php using Plan A...
                  Ignoring previously applied (or reversed) patch.
                  Hunk #1 ignored at 32.
                  Hunk #2 ignored at 53.
                  Hunk #3 ignored at 70.
                  Hunk #4 ignored at 106.
                  4 out of 4 hunks ignored while patching usr/local/www/diag_routes.php
                  done

                  #3

                  /usr/bin/patch --directory=/ -t -p2 -i /var/patches/62174f8677d3e.patch --check --forward --ignore-whitespace

                  Hmm... Looks like a unified diff to me...
                  The text leading up to this was:

                  |From 8cd3f92f2443a6f0e4b7964a9532f761f808a0c6 Mon Sep 17 00:00:00 2001
                  |From: jim-p
                  |Date: Tue, 17 Aug 2021 09:09:45 -0400
                  |Subject: [PATCH] Regex cleanup change. Fixes #12257
                  |
                  |Rather than attempting to cleanup group repetition, just discard the

                  unwanted pattern.
                  src/etc/inc/util.inc
                  1 file changed, 7 insertions(+), 11 deletions(-)
                  diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
                  index 8571399928c..f419e265d5b 100644
                  --- a/src/etc/inc/util.inc
                  +++ b/src/etc/inc/util.inc

                  Patching file etc/inc/util.inc using Plan A...
                  No such line 3837 in input file, ignoring
                  Hunk #1 failed at 3838.
                  1 out of 1 hunks failed while patching etc/inc/util.inc
                  done

                  #4

                  /usr/bin/patch --directory=/ -t -p2 -i /var/patches/62174f9b62b9c.patch --check --forward --ignore-whitespace

                  Hmm... Looks like a unified diff to me...
                  The text leading up to this was:

                  |From cf757a8094762ede47861fc073eaba06355c6bfc Mon Sep 17 00:00:00 2001
                  |From: jim-p
                  |Date: Wed, 18 Aug 2021 16:11:11 -0400
                  |Subject: [PATCH] Regex cleanup should also kill {}. Fixes #12257
                  |
                  |It's not used often (and less in the GUI) and can be a source of
                  |problems with large numbers of repetitions even outside of grouped

                  expressions.
                  src/etc/inc/util.inc
                  1 file changed, 3 insertions(+), 2 deletions(-)
                  diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
                  index f419e265d5b..2f63b7298e2 100644
                  --- a/src/etc/inc/util.inc
                  +++ b/src/etc/inc/util.inc

                  Patching file etc/inc/util.inc using Plan A...
                  No such line 3843 in input file, ignoring
                  Ignoring previously applied (or reversed) patch.
                  Hunk #1 ignored at 3817.
                  1 out of 1 hunks ignored while patching etc/inc/util.inc
                  done

                  BismarckB 1 Reply Last reply Reply Quote 0
                  • BismarckB Offline
                    Bismarck @Cool_Corona
                    last edited by Bismarck

                    @cool_corona

                    Can you please post a screenshot with a list all patches like the once I posted above, thanks.

                    example
                    5dd91787-2396-47b4-ad95-dfe67ef18873-image.png

                    Cool_CoronaC 2 Replies Last reply Reply Quote 0
                    • Cool_CoronaC Offline
                      Cool_Corona @Bismarck
                      last edited by

                      @bismarck

                      09ab34d5-9bd8-46e5-928e-a7d8b3412997-billede.png

                      BismarckB 1 Reply Last reply Reply Quote 0
                      • BismarckB Offline
                        Bismarck @Cool_Corona
                        last edited by

                        @cool_corona

                        That looks okay to me, you have successfully patched it. 😊 👍

                        1 Reply Last reply Reply Quote 0
                        • Cool_CoronaC Offline
                          Cool_Corona @Bismarck
                          last edited by

                          @bismarck

                          #1

                          82336ea5-186e-4024-b49b-f8e790d39fe5-billede.png

                          All others look the same

                          #4

                          c0d248a6-4639-4996-9909-2c8f73aeb309-billede.png

                          BismarckB 1 Reply Last reply Reply Quote 0
                          • BismarckB Offline
                            Bismarck @Cool_Corona
                            last edited by Bismarck

                            @cool_corona

                            all good, you can't patch it anymore because it is already patched, you only can revert it from there.

                            d02160ed-d30a-4b76-81c8-faaaf60ce963-image.png

                            1 Reply Last reply Reply Quote 0
                            • bingo600B Offline
                              bingo600 @Cool_Corona
                              last edited by

                              @cool_corona said in Remote Code Execution in pfSense <= 2.5.2:

                              You cant do that since the 2.5.2 package repository doesnt exist anymore.

                              I just installed System_patches on a 2.5.2 machine

                              It was pointing at 2.5.2 deprecated (by me) , as soon as they released 2.6.0

                              53e3520a-e900-4cce-b1df-c49263a9dfb5-image.png

                              1ff47cad-cdf3-40c9-bd05-bfd0083eb58c-image.png

                              da925815-6cfe-40de-8bbc-1a69254007fe-image.png

                              If you find my answer useful - Please give the post a 👍 - "thumbs up"

                              pfSense+ 23.05.1 (ZFS)

                              QOTOM-Q355G4 Quad Lan.
                              CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                              LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                              1 Reply Last reply Reply Quote 2
                              • jimpJ Offline
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                A few notes:

                                1. As has been pointed out, you can (and should) install the package using the GUI by setting the update branch to the "Previous stable version" branch for 2.5.2 or 21.05.2. Do not do it at the CLI with a direct repo URL.
                                2. The advisory exaggerates things a bit. There is nothing "pre-authentication" about this. An admin must already be logged in for it to happen, if it's triggered via CSRF or similar it must be in the same browser session where the admin is already logged in. tl;dr don't browse the web from the same session you admin your firewall.
                                3. All of the relevant commits and so on are also published in advisories from Netgate at https://docs.netgate.com/advisories/index.html -- This one is pfSense-SA-22_02.webgui
                                4. If you are concerned about this, you should also patch the others fixed in 22.01/2.6.0:
                                  • pfSense-SA-22_01.webgui
                                  • pfSense-SA-22_03.webgui
                                  • pfSense-SA-22_04.webgui

                                Each advisory has a list of relevant commit IDs.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                B 1 Reply Last reply Reply Quote 4
                                • B Offline
                                  bPsdTZpW @jimp
                                  last edited by bPsdTZpW

                                  1. ...tl;dr don't browse the web from the same session you admin your firewall.

                                  And also: run the browser for administering pfSense under a different OS account than the one you use for browsing, and add an OS firewall rule to prevent inadvertent general browsing from the pfSense browser.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.