CVE-2017-1000479

HIGH

pfSense < 2.4.2 - Clickjacking via CSRF Error Page

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-1000479. Includes Metasploit module exploits/unix/http/pfsense_clickjacking.

AI-analyzed exploit summary This Metasploit module exploits a clickjacking vulnerability in pfSense <= 2.4.1 by tricking an authenticated admin into executing arbitrary PHP code via the WebGUI, leading to full system compromise. It uses a crafted HTML page with hidden iframes and JavaScript to submit malicious commands to the pfSense diagnostic command interface.

Description

pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions.

Exploits (1)

metasploit WORKING POC NORMAL

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pfsense_clickjacking.rb

View Code ZIP pw:eip

This Metasploit module exploits a clickjacking vulnerability in pfSense <= 2.4.1 by tricking an authenticated admin into executing arbitrary PHP code via the WebGUI, leading to full system compromise. It uses a crafted HTML page with hidden iframes and JavaScript to submit malicious commands to the pfSense diagnostic command interface.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfSense <= 2.4.1

Auth required

Prerequisites: Authenticated admin session in pfSense WebGUI · Victim interaction with malicious webpage

MITRE ATT&CK