 So I'm hanging out with Xavier right now because we were trying to do a proof of concept on an alleged Exploits that may or may not be real, but before then his video. You'll know is Alleged as we like to say There was a CVE issue 201 916 701 over on exploit database not fully issued because it's not been verified yet And as part of the whole process first We think we have a flaw we find in a product and then we have to explore does that flaw actually exist? And then what is the mitigation for that? So we're at the exploratory part and we're gonna do a little exploring here and talk about whether or not We're gonna be able to do some code injection on PSN. It's a pretty serious thing. What you think I mean, we're talking about code injection So wow, we're talking about leaving some right remote code injection So we're talking about taking some of our bad code that we know does bad things and putting it into your your code base So this is this is pretty bad. It could be leveraged to go out and do other attacks This could be leveraged to do some mining this could be leveraged to steal some data off the wire sniff some packets So that's an interesting one. Yep. So what we're gonna do here is Start digging in and figure out if it's real. So here's the CV We'll leave a link saw this so you guys can test as well And we see here's the CVE and this is the important part when you're doing these is is there a proof of concept in here Oh, and this is fairly new. So like if you go up to the top. Oh, yeah, this is what the the 24th So this is today. Yep. This is about 24 hours old roughly So this is fresh knowledge dropped today 20 September 24 2019. We're dropping it right here Interesting so I went and I'll pull up I took and put together just copy and pasted this code looked at it It looks pretty straightforward. It's in Python and you Specify the parameters on there saying alright, here's what it sends over and I need a good username password Now this is where a little bit of confusion because it seems to need the root password But let's look real quick what happened as soon as I ran the code This is the first problem I ran so I ran this and we I spun up a host real quick She switched over the screen. I have my lab. Here's my pfSense lab Here is I created a user for Xavier I have a user for me admins disables kind of default setup But we want to you know go through and test this and actually we'll go ahead and re-enable this We tried it both ways and you don't get to know the results until we get to the code running part So let me switch back over that's now set up But this is the first problem I ran into so the first part is this is I like to test everything under default conditions I mean granted I changed a port that's not hugely a big deal But the way his code is set up it does not allow for the certificate to be unverified So it's kind of the first stumbling block and I'm not great at Python But Xavier knows Python so I'm going to switch back over to Xavier now here Yeah, and actually one of the things that I know actually bring your screen back up because there was one thing that I noticed When this guy actually broke down the code so a part of his exploit DB Pull up the actual exploit DB page there He at the top digs into exactly how he went about finding this right so he knows that The pf since user with the UID zero which in most systems Zero means like root right like that's the first user that gets created So then when you scroll down a little bit into his static analysis He digs into some of those those different methods that he knows can be called over this this transport layer and what he sees is He finds the admin UID zero is allowed or regular with the necessary permission when I read this I don't find the or I find the and I see if is set user entry UID and user entry not equal zero and has privilege of XML RPC HA sink which I guess is basically what they're with what that says. Yeah, that makes sense Is saying that they're able to go ahead and do something right? So that's that's fun So when I scroll down and I looked a little bit more I saw this eval and I went oh boy Somebody put an eval and some php code that is scary and then I went to read the exploit So I want people to realize when you go to certain websites like exploit DB when you go to go download and exploit You have to trim some things out sometimes right like that exploit doesn't really start until you know The hash bang sign down there next to Python. Right. Nevertheless. Um, another thing. I noticed you could pull up your code Well, I'll pull up my code. Go ahead stop share. Yeah, so I'm I see When I look at this code Something very interesting it as for a host it acts for password now We know from looking at the research that was associated with this at the top of this file That we're assuming we're using zero the the user ID of zero Which means that we're assuming we're using some kind of root user and or a user that has a permission To be able to do whatever that certain permission is that it needs to do which I believe is a XML RPC specific Permission that is supposed to be used for high availability Right. Yeah, that's what I if I'm not mistaken the privilege you're looking for is high availability sync because That means that user has the privilege to write back and forth It's also a little strange you're so user root or admin as you're logging into the web interface or one and the same It's admin when the web interface is root when logging in via SSH But that level of privilege if you have that password you kind of have the keys to the kingdom Right, so I'm thinking of myself like all right I've either I have keys to the kingdom or I'm really really close to having keys to the kingdom but nevertheless he found that if you go ahead here and make a call To the XML RPC dot PHP Directory you should be able to do stuff and it looks like it just takes a password So I'm scratching my head and I'm like How does it how does it know what user has what permission right like? What I'm not a pf since guru. I'm a hacker. So I don't know I'm assuming well Maybe it's gonna take this password and it just treats it like a API key It's just gonna go and see does anybody like maybe it'll do if it has 17 users Maybe it'll do 17 you off user calls using the same password in the back end to see if one of them works I don't know but I found that to be a little odd also what I found was that The The same thing that you found the SSL certificate by default From this product requires it to be self-signed correct that is correct So, you know other than me out of the non-default method was we did add where you see our host args are Plus 5 5 5 that's just a port number change because I don't leave pf Sends at the default part whenever I set it up part of my process and put it at something other than 443 So we added that but the fact that the person who wrote the CV didn't have the bypass Self-signed because that's also a default condition by default htps is enabled out of the box on pf Sense so it also has a self-generated self-signed certificate So yeah, we thought it was weird We had to add that because usually proof of concept code should be proof of concept not a lot of tweaking concept So I'm already finding myself like in tweak mode, right? So I went ahead and hard-coded in a port for the environment that I was going to be attacking that you so graciously stood up Thank you and another thing you'll notice here is I added something called a context and this context is the thing that Allowed me to be able to get around that bug that you ran into which was the SSL bug So once I got past that I was like all right cool. Let's see what this thing is doing So I'm digging that further it goes to go and try and log in it sets that to the parameter page It looks for this string on that page if it has that string It's supposed to say wrong password If it doesn't have that string then it assumes I've logged in it goes ahead and make a random a random GUIT 32 characters long and then makes a file called that dot php where using our password We actually run an exec which should then do a get to the cmd parameter and Be executed so I'm like all right. I understand that that makes sense Let's get her done another thing you'll notice is I had to do this twice because there's stage one and there's also Page which then takes stage one and makes another call so you'll need to take an account for The context twice. I'm not sure you'll need this code twice I'm pretty sure I just put it in here twice because I copy and paste it anyway So I got to the running part of it right which is everybody's fun. So now you have my password. Yep. All right. Oh, man right there Nice simple password since we already accounted for that port number you just have to pass in the full URI to the the PF sense that you want to hack and You know we've got a click in her and bam wrong password So I'm like Tom. What's up, man? You give me the wrong password? What do you want me to like I can't log in except when I go here and I try and log in The password actually does work You're gonna have to take my word for it because Firefox has been a little slower now, but that is my password, right? So I can I can assure you Xavier's password does work Yeah, so I'm in my I'm in a situation where I'm like, okay, I have a vulnerable product that you say is vulnerable I have your proof of concept. I've accepted your concept and now I can't prove your concept now Mind you this doesn't have a CVE number that has been I think this is a reserved number right now, right? It's a reserved number, which means it has not been vetted and one of the things I'm going to comment I just went ahead and changed the admin password So we had an Xavier login because we wanted to see if it worked with just other passwords being that So I also just checked and made sure the admin is turned back on and set to PWN me for the password to try now Let's see what happens Well, that's interesting that you get a wrong password again Very quickly to huh? So like, you know, I could TCP like if I was to go about this to actually see what's happening I would do a TCP dump and actually see what calls are being made pump that in a wire shark Go ahead and follow the TCP stream and debug it But to be honest with you, your proof of concept is supposed to work Yeah, it doesn't work. And the other problem we have taking apart this proof of concept is, you know, we had to tweak it Second, it needs root. That's if I have proof, why do I why do I need a Python script? I mean granted a Python script is going to make things rather convenient I won't lie to be able to push things from the command line But I'm pushing it from the command line to something I already have full credentials and access to Like don't you already have this ability just built into pf since can't I just make a template and it's a PHP pony shell right there Yeah, so let me jump over to log in like a file explorer inside of pf since why do I need to do a Remote file inclusion when I already have admin access which allows me to log in remotely to add a file Yeah, and that's this is part of That a pf sense is the The ability to do this anyways, so it's kind of an odd thing I kind of feel and this is one of those things where people jump to conclusions and they me see a CV out there Even though this is unpublished it's all those things and we're keeping an eye out for stuff We see stuff pop up our radar because we're you it's kind of interesting to look at something That hasn't maybe been fully published or that you hear from a forum or something like that and people will jump on it But this is where your due diligence comes in and basically you have a CV that requires or alleged CV It's not clearly not gonna get confirmed here You need root access and then you can phone something. Oh if I have root access. I've already phoned it like it's so the Good common sense wins here Keep your root password safe and your pf sense is safe. It doesn't matter if someone can run a Command from the command line would probably some tweaking we actually think if we tweaked around with this We could probably dig it further. I'm sure we could we could make his CVE actual CVE well, but it wouldn't be a CV still because by the way needs root access. Oh, by the way, I can see your car If you just give me your keys That doesn't seem like much of a threat. No, it's really not so Tom's gonna let me hack his Tesla That's a much different thing or me hacking Tom's Tesla remote Right, or especially if I gave you the keys to it and you just drive away with it now You're talking about something. It's a it suddenly doesn't become a very interesting hack if you can do something Malicious without any other knowledge other than the fact that it is a pf sense box then it'd be very interesting So the good news is pf sense is still safe. I still recommend keeping your web Exposer to none like people open up ports all the time in the WAN side the default in pf sense This is the secure way to do it is only opening LAN and the default time you log in with admin and pf sense It first thing it does is say you have to change this it makes you change the password Oh, there is no default credits, right? So this way, you know, you don't end up with some default cred that people start configuring like a lot of other ones I used to love I I think it's neck here that allows you to have admin and blank as the default and it just stayed that way forever, you know It's taking forever companies to kind of get better at this Hackers are gonna want to put in a username and a password. They're gonna try and do password brute-forcing So we'll just we just won't set a password that way. They'll never break in because it used to be admin I remember that like this a while ago when those came out It was more difficult to hack some of those because you will literally hack just to get around. I'm like, what am I the password? It's not admin password. It's not admin admin admin enter. Oh, oh Can't forget to try that one once in a while, but like I said here your pf sense is safe So no, there's not a CV on there We just thought this fun this video be a fun exercise to walk through kind of the process where someone says something some of the vetting process And you know what Tom? It really is something that we just do with hackers all the time We get on exploit DB and we go and we find things that are interest of us if we have that Technology available if we have friends with that technology we poke at it. We see a is this really work? Is this really a thing right if it's really a thing? Oh my god For one, let's patch this thing and then like, you know, let's potentially go play in environments where we legally client can But if it's not a thing, let's make sure that we allow the community to recognize it's not a thing So they are out, you know worrying about patching something that isn't really a threat to them Yeah, and I wanted to give this as kind of a behind-the-scenes look at how like me and Xavier or the hacking community in general works together You may see the news article the release on some website But this is the behind-the-scenes what actually happens to do that research to find it out and like I said One of the reasons we started tweaking it. We didn't just dismiss it as proof of concept not working It's also sometimes those people are on the something so it also made an interesting test environment for us to go What if he's almost right and he just forgot a little thing you do this and then it actually work That's why we kept playing with the furlough. We played with this for all before we did the video But that we came to the conclusion that this is a nothing I mean the moment that you need root Me and tom are like man We were dismissed with that but we still pushed on because we went and set up like different users. Yeah, no We spent another hour on it after that Yeah, I know and then we played with the the concept of because it requires a sink user that there is an edge case Where you create a user for high availability sink in certain corporate environments where you have someone with less permissions But it's a dummy user you create so two firewalls Stay in high availability mode because instead of using root I have this in one of my other longer videos about high availability. You create a secondary user So we thought okay, that's the edge case He's testing for is where someone used a weak password internally and you're inside the network And so this would you know, I we try to walk through the scenarios where this might come up But the whole exercise was all for nothing But I I feel better about pfSense when we're all done. We did the whole test We walked through the process We had some fun and we feel as though it's a secure now as it was before that person published this 24 hours ago There you go So that was it. Um, check out more for hacking tutorials over on Xavier's channel I'll make sure I'll leave a link below for all of that stuff I'll throw a url on the screen here for you. Uh, like and subscribe to his channel You guys are watching us. You're probably already like and subscribe to mine and we'll we'll do more of this If there's enough attention, we'll definitely use some more of this and like I said, Xavier's been cranking out some Context I set up a lab and got a whole lab Yeah, so we're building out more lab stuff because we work together on some of these and we really want to poke it A lot more things so we're gonna be doing that. So look for some upcoming videos Awesome. All right. Thanks Take care And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurancesystems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Or we can carry on the discussion about this video other videos or other tech topics in general Even suggestions for new videos. They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time