FreeNAS Command Execution Vulnerability in exec_raw.php

A backdoor allowing unauthenticated command execution has been identified in FreeNAS versions 0.7.2 prior to revision 5543. The vulnerability resides in the web interface, specifically within the exec_raw.php script, which directly passes the cmd parameter to the shell without proper sanitization. This flaw enables remote attackers to execute arbitrary commands with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected FreeNAS system, with the commands being executed as the root user.

Reproduction

The vulnerability can be reproduced by sending a request to the exec_raw.php script with a specially crafted cmd parameter. This can be done using a web browser or a tool like curl. Once the command is executed, the same technique can be used to execute a payload, such as a PHP meterpreter shell, by first uploading it as a file and then executing it through the web interface.

Remediation

Users are advised to upgrade to FreeNAS 0.7.2 revision 5543 or later.