Name: IPFire Firewall
Vendor: IPFire
Vulnerability: Command Injection
Affected Versions: Versions before 2.21 – Core Update 124
CVE ID: CVE-2018-16232
IPFire is an open source firewall. I discovered an authenticated command injection in their firewall. The vulnerabilities reside in the backup.cgi file.
I have IPFire running at https://10.10.10.25:444 in Virtual Box. This is a partial view of the backup.cgi page.
The “ADDON” parameter is vulnerable to command injection. I injected a bash reverse shell and received a connection back to my listener.
The “FILE” parameter is vulnerable to command injection. I piped the output of the “pwd” command to curl which pointed to my listener. The listener captured the HTTP POST request and my command’s output.
Timeline
- August 30, 2018 – Vulnerability details were sent to the vendor.
- October 15, 2018 – The vendor released a fixed version.
- December 9, 2018 – Published here.
