pfSense: pfSense-SA-17_10.webgui: Arbitrary Code Execution

On pfSense 2.4.x, a command-injection vulnerability exists in
system_camanager.php and system_certmanager.php via cert_get_publickey() from
certs.inc due to its passing user certificate and key input through a shell
command pipe This allows an authenticated WebGUI user with privileges for either
of the affected pages to execute commands in the context of the root user.

A similar issue exists on pfSense 2.3.x in the cert_get_modulus() function from
certs.inc, but it is only used on system_certmanager.php.

A user on version 2.4.2, 2.3.5 or earlier of the pfSense software, granted
limited access to the pfSense software WebGUI including access to
system_camanager.php (2.4.x) or system_certmanager.php (2.3.x, 2.4.x), could
leverage these vulnerabilities to gain increased privileges, read arbitrary
files, execute commands, or perform other alterations.

This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.