Netgate pfSense CE Code Execution Vulnerability via Unsafe Deserialization

A remote code execution vulnerability has been identified in Netgate pfSense Community Edition version 2.7.2. This issue arises from the backup and restore mechanism, which improperly handles user-controlled data by unserializing it without validation or sandboxing. An authenticated administrator can exploit this vulnerability by uploading a crafted backup file containing a serialized PHP object that injects arbitrary commands through the post_reboot_commands property. These commands are executed with full root privileges, leading to unauthorized access and control over the system.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution as the root user. This could result in a complete takeover of the firewall, persistent compromise, and unauthorized access to sensitive credentials and configuration data.

Reproduction

To reproduce this vulnerability, an authenticated administrator must upload a malicious configuration backup file that contains a serialized PHP object designed to exploit the vulnerability. Once the file is uploaded, the administrator can initiate a restore operation, which will trigger the unserialize() function to process the injected commands. The commands will then be executed as root via the mwexec() function.