Recently we performed a non-profit penetration test of OPNsense - an open source, FreeBSD based firewall and routing platform with ~51.47K active instances according to censys.io. The assessment was focused on web GUI and API as well as some parts of the system backend. Work has been carried out in a period from June 12 to June 26, 2023. In total, around 120 hours were committed to the project.
During the test we managed to find many interesting and varied vulnerabilities, e.g., Cross-Site Scripting, Cross-Site Request Forgery, Open Redirect, Insecure Permissions, OS Command Injection and Zip-Slip which eventually leads to root shell. You can find all of them in the Full PDF Report which is also a great example of what our commercial clients receive.
We would like to show you three scenarios of how vulnerabilities that we found could be chained together to perform attacks on the OPNsense instance.
Scenario 1 - Reflected XSS leads to root RCE via Zip-Slip
In this scenario we used Reflected Cross-Site Scripting vulnerability (LT-0017) to deliver our payload to the administrator.
Sending GET request to https://opnsense/ui/cron/item/open/0'+alert(window.origin)+' would result in the following response:
After an administrator clicks on our link, we need to send six requests from their browser. First two requests create new Captive Portal template, another three enable Captive Portal with the selected template, and the last one spawns netcat reverse shell with our brand-new luta.php webshell.
Above script can be base64 encoded and put inside the URL:
What’s interesting is that the application accepts templates in ZIP format, and then it extracts all of their contents to the template directory. However, the way in which the application extracts the files makes it vulnerable to the Zip-Slip attack (LT-0014):
By using ../ sequences it is possible to extract files to other directories. This allows us to extract PHP file to the web root - /usr/local/www.
Our ZIP archive looks like this, where luta.php is a simple PHP web shell:
Since the PHP process is being ran as a root user, the shell is granted root privileges as well.
Proof of Concept Video:
Scenario 2 - Reflected XSS -> OS Command Injection -> root password retrieval via config.xml insecure permissions
In the second scenario the payload is also delivered through Reflected XSS, but this time the vulnerability is introduced in Certificates tab (LT-0002). Sending request to https://opnsense/system_certmanager.php?act=%22%3E%3Csvg/onload=alert(window.origin)%3E&id=0 results in the following response body:
We want to send request to /api/cron/settings/addJob/ in order to add new cron job. The application allows only specific commands to be executed via cron, however, by including single quotes (') and newline character (\n) in the command parameters, we can define completely separate cron job and execute any command as nobody user (LT-0016).
…and turned into an URL:
After the administrator opens the link, we can see our command added to the crontab:
In the above payload we are adding next vulnerability to the chain - even though we only have privileges of user nobody, insecure permissions (LT-0003) grant us read access to the configuration file:
Soon config.xml is sent to our listener:
Congratulations, it’s a bcrypt hash of a root password!
Finally, we feed it to hashcat:
Scenario 3 - CSRF that halts the firewall
This one is quite straightforward. Administrator visits our website, from which we redirect them to https://opnsense/api/core/system/halt, to turn off the instance.
Normally, this request is made using POST method and requires CSRF token, but during the test it turned out that the app accepts GET request as well, and in such case doesn’t require CSRF token.
As a result, the OPNsense instance turns off.
Proof of Concept Video:
We reported found vulnerabilities to OPNsense maintainers and we really want to thank them for a great response. They handled the whole process very professionally, quickly prepared effective patches for many vulnerabilities and included them in the newest releases - OPNsense 23.7 “Restless Roadrunner” as well as business edition 23.4.2. Also, they provided us with reasoning behind decision not to patch some of them right now.
We are very happy about the outcome of the tests and can’t wait to start another project like this soon. Stay tuned!
According to art. 13 of the General Regulation on the Protection of Personal Data of 27 April 2016 (Official Journal EU L 119 of 04.05.2016) I inform that:
Data Administrator: The administrator of your personal data is Logicaltrust sp. z o.o. sp. k., with its registered office at ul. Aleksandra Brücknera, 25-43, 51-411 Wrocław, Tax Identification Number (NIP): 8952177980, National Business Registry Number (REGON): 369271084, National Court Register Number (KRS): 0000713515.
Contact with the Data Administrator: You can contact the data administrator via email at: firstname.lastname@example.org or by traditional mail by sending a letter to the administrator's registered office address.
Purpose and Legal Basis for Processing Personal Data: Your personal data will be processed by the data administrator for the purpose of responding to your inquiries, executing requested contact, taking actions prior to entering into a contract, performing the contract, establishing business relationships, presenting offers upon potential client's request (based on Art. 6(1)(a), (b), and (f) of the General Data Protection Regulation).
Data Processing Period: Your personal data will be processed for the time necessary to clarify your matter and provide a comprehensive response. They will also be processed for the duration of cooperation and the contract (in this case, the data is processed as client data). In the event of non-cooperation, the data will be promptly deleted unless there is a need for further retention for the purpose of defense and protection against claims. In cases where the processing of personal data is based on voluntarily given consent according to Art. 6(1)(a) of the General Data Protection Regulation, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, in accordance with the applicable law.
Scope of Processed Data: The scope of processed data includes: first name, last name, email, and phone number.
Recipients of Personal Data: In specific situations, your personal data may be disclosed, for example, to fulfill a legal obligation or to exercise legally justified interests pursued by the data administrator or by a third party. The categories of recipients to whom the data administrator may disclose your personal data are entities or authorities authorized by law and service providers processing personal data on behalf of the data administrator based on data processing agreements (e.g., hosting company).
Data Transfers: Your personal data will not be transferred outside the European Economic Area.
Rights and Entitlements: You have the right to request access to your personal data, their correction, deletion, or processing limitations, as well as the right to object to data processing. You also have the right to file a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw) if you believe that the processing of personal data violates data protection regulations.
Additional Information: Providing data is voluntary, but failure to provide data necessary for correspondence may hinder the execution and maintenance of contact.
1. About cookies - Cookies are small data files, especially text files, which are stored by a server on your computer. With these files, your device will be recognized and, in consequence, the way a given website is presented will be adjusted to your personal preferences. Cookies usually contain the name of the website from which they originate, information on how long they have been stored on the device and a unique number.
2. Which type of cookies do we use - Session cookies – temporary files which are stored on your device until you log out from a given website or close the Internet browser. Persistent cookies – permanent files that remain on your device for a fixed period (specified in the parameters of the file) or until they are deleted manually. Third-party cookies – files that adjust the way a given website is presented to your personal preferences.