A potential authenticated arbitrary command execution vulnerability was found in packet_capture.php, a component of the pfSense Plus and pfSense CE software GUI. When performing a packet capture on packet_capture.php, the submitted POST "count" or "length" values are not validated. Subsequently, the submitted values are used in shell commands. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for "count" or "length" in POST operations. The user must be logged in and have sufficient privileges to access either packet_capture.php.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center