Netgate pfSense CE XMLRPC API Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Netgate pfSense Community Edition version 2.8.0. This issue arises in the XMLRPC API through the method 'pfsense.exec_php', which allows authenticated users to execute arbitrary PHP code with root privileges. The vulnerability is present because the API method lacks proper validation, sandboxing, and restrictions, and is accessible by default over HTTPS with Basic Authentication. Exploitation is made easier by the widespread use of default credentials (admin:pfsense).

Impact

Exploitation of this vulnerability leads to full remote compromise with root privileges, allowing for arbitrary code execution, manipulation of firewall rules, extraction of sensitive information and configurations, and the potential deployment of backdoors.

Reproduction

To reproduce this vulnerability, authenticate as an administrator on a pfSense CE 2.8.0 installation. Then, send a request to the 'xmlrpc.php' endpoint using the 'pfsense.exec_php' method. Include the desired PHP code to be executed as a parameter. The code will be executed immediately with full system privileges.