Dodd Security

Offensive Security and Application Security Perspectives

Vulnerability Research

Command Injection on IPFire Firewalls

Name: IPFire Firewall

Vendor: IPFire

Vulnerability: Command Injection

Affected Versions: Versions before 2.21 – Core Update 124

CVE ID: CVE-2018-16232

IPFire is an open source firewall. I discovered an authenticated command injection in their firewall. The vulnerabilities reside in the backup.cgi file.

I have IPFire running at https://10.10.10.25:444 in Virtual Box. This is a partial view of the backup.cgi page.

The “ADDON” parameter is vulnerable to command injection. I injected a bash reverse shell and received a connection back to my listener.

The “FILE” parameter is vulnerable to command injection. I piped the output of the “pwd” command to curl which pointed to my listener. The listener captured the HTTP POST request and my command’s output.


Timeline

  • August 30, 2018 – Vulnerability details were sent to the vendor.
  • October 15, 2018 – The vendor released a fixed version.
  • December 9, 2018 – Published here.

Comments are Closed

Theme by Anders Norén