exploit the possibilities

Fortinet FortiAuthenticator XSS / Disclosure / Bypass

Fortinet FortiAuthenticator XSS / Disclosure / Bypass
Posted Jan 29, 2015
Authored by Denis Andzakovic | Site security-assessment.com

Fortinet FortiAuthenticator suffers from subshell bypass, cross site scripting, password disclosure, and file disclosure vulnerabilities.

tags | exploit, vulnerability, xss, bypass, info disclosure
MD5 | 270d639454c304a12962e27aed9c393d

Fortinet FortiAuthenticator XSS / Disclosure / Bypass

Change Mirror Download
(    , )     (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.

presents..

Fortinet FortiAuthenticator Multiple Vulnerabilities
Affected Versions: Verified on FortiAuthenticator v300 build 0007

PDF:
http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiAuthenticator_Multiple_Vulnerabilities.pdf

+-------------+
| Description |
+-------------+
This advisory details multiple vulnerabilities found within the Fortinet
FortiAuthenticator virtual appliance. The FortiAuthenticator is a user
identity management appliance, supporting two factor authentication, RADIUS,
LDAP, 802.1x Wireless Authentication, Certificate management and single sign
on.

The FortiAuthenticator appliance was found to contain a subshell bypass
vulnerability, allowing remote administrators to gain root level access via
the command line. Local file and password disclosure vulnerabilities were
discovered, as well as a Reflected Cross Site Scripting vulnerability within
the SCEP system.

+--------------+
| Exploitation |
+--------------+
--[ dbgcore_enable_shell_access Subshell Bypass

By logging into the Fortinet Authenticator and executing the ‘shell’ command,
a malicious user can gain a root /bin/bash shell on the server. However,
unless the /tmp/privexec/dbgcore_enable_shell_access file exists (the contents
of this file are irrelevant), then the command returns ‘shell: No such
command.' If the file is present, then the command succeeds and a root shell
is given.

The ‘/tmp/privexec/dbgcore_enable_shell_access’ file can be created by using
the ‘load-debug-kit’ command and specifying a network accessible tftp server
with the relevant debug kit. The debug kits were found to be generated by an
internal Fortinet tool called ‘mkprivexec’. The ‘load-debug-kit’ command
expects encrypted binaries which are subsequently executed.

An attacker that can either generate a valid debug kit or create the
appropriate file in /tmp/privexec can therefore get a root shell. This is
likely a workaround for CVE-2013-6990, however an attacker can still obtain
root level command line access with some additional steps.

--[ Local File Disclosure

A malicious user can pass the ‘-f’ flag to the ‘dig’ command and read files
from the filesystem. An example would be executing 'dig -f /etc/passwd' and
observing the dig commands output, retrieving the /etc/passwd files contents.

--[ Password Disclosure

A malicious user may use the debug logging functionality within the Fortinet
FortiAuthenticator administrative console to obtain the passwords of the
PostgreSQL database users. The disclosed passwords were found to be weak and
are static across Fortinet FortiAuthenticator appliances. The following
credentials were enumerated:

+-----------------+
|Username:Password|
+-----------------+
| slony : slony |
|www-data:www-data|
+-----------------+

--[ Reflected Cross Site Scripting

By coercing a legitimate user (usually through a social engineering attack) to
visit a specific FortiAuthenticator URL, an attacker may execute malicious
JavaScript in the context of the user’s browser. This can subsequently be used
to harm the user’s browser or hijack their session. This is due to the
‘operation’ parameter in the SCEP service being reflected to the end user
without sufficient input validation and output scrubbing. The following
URL can be used to replicate the Reflected Cross Site Scripting vulnerability:

https://<FortiAuthenticatorIP>/cert/scep/?operation=<script>alert(1)</script>

+----------+
| Solution |
+----------+
No official solution is currently available for these vulnerabilities. Email
correspondence with Fortinet suggests that the Local File Disclosure and
Password Disclosure vulnerabilities have been resolved in version 3.2. No
official documentation was found to confirm this.

+---------------------+
| Disclosure Timeline |
+---------------------+
08/10/2014 - Initial email sent to Fortinet PSIRT team.
09/10/2014 - Advisory documents sent to Fortinet.
15/10/2014 - Acknowledgement of advisories from Fortinet.
16/10/2014 - Fortinet advised the Local File and Password disclosure issues would be resolved in the 3.2 release.
31/10/2014 - Additional information sent to Fortinet RE Reflected XSS
03/11/2014 - Additional information sent to Fortinet RE Reflected XSS
02/12/2014 - Update requested from Fortinet.
13/12/2014 - Update requested from Fortinet.
29/01/2015 - Advisory Release.

+-------------------------------+
| About Security-Assessment.com |
+-------------------------------+

Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings,
contact us:

Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650




Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    14 Files
  • 23
    Oct 23rd
    3 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    33 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close