module
Clickjacking Vulnerability In CSRF Error Page pfSense
| Disclosed | Created |
|---|---|
| 11/21/2017 | 06/14/2018 |
Disclosed
11/21/2017
Created
06/14/2018
Description
This module exploits a Clickjacking vulnerability in pfSense
pfSense is a free and open source firewall and router. It was found that the
pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin
into interacting with a specially crafted webpage it is possible for an attacker
to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user,
this will result in a full compromise of the pfSense instance.
pfSense is a free and open source firewall and router. It was found that the
pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin
into interacting with a specially crafted webpage it is possible for an attacker
to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user,
this will result in a full compromise of the pfSense instance.
Author
Yorick Koster
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/unix/http/pfsense_clickjacking
msf /(g) > show actions
...actions...
msf /(g) > set ACTION < action-name >
msf /(g) > show options
...show and set options...
msf /(g) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.