what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FortiVoice 5.0 Cross Site Scripting

FortiVoice 5.0 Cross Site Scripting
Posted Aug 9, 2016
Authored by Benjamin Kunz Mejri, Vulnerability Laboratory | Site vulnerability-lab.com

FortiVoice version 5.0 suffers from filter bypass and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 6fba6b0a5841a1bab3c4d0bf9cbfe12235ac20c23e2a2b40363216d1dd1d5b32

FortiVoice 5.0 Cross Site Scripting

Change Mirror Download
Document Title:
===============
FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1842

Fortinet PSIRT ID: 1737213

Release Notes: http://docs.fortinet.com/uploaded/files/3081/fortiVoiceenterprise-5.0.5-release%20notes.pdf


Release Date:
=============
2016-08-09


Vulnerability Laboratory ID (VL-ID):
====================================
1842


Common Vulnerability Scoring System:
====================================
3.6


Product & Service Introduction:
===============================
FortiVoice phone systems and phones deliver intelligent call handling in a simple, affordable and user-friendly package.
FortiVoice products are easy to install, easy to configure and easy to use, and come complete with everything a business needs
to handle calls professionally, control costs and stay connected everywhere.

The FortiVoice Enterprise IP-PBX voice solutions are built for offices with up to 2000 phone users. FortiVoice Enterprise
systems give you total call control and sophisticated communication features for excellent customer service and efficient
employee collaboration. Powerful, affordable and simple, FortiVoice phone systems include everything you need to handle
calls professionally, control communication costs and stay connected everywhere.

(Copy of the Homepage: http://www.fortivoice.com )


Abstract Advisory Information:
==============================
The vulnerability lab core team discovered multiple application-side web vulnerabilities in the official Fortinet FortiVoice v5.x appliance web-application.


Vulnerability Disclosure Timeline:
==================================
2016-05-11: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-05-12: Vendor Notification (PSIRT - Fortinet Security Team)
2016-06-26: Vendor Fix/Patch (Fortinet Developer Team)
2016-07-09: Acknowledgements (Fortiguard Security Team)
2016-08-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Fortinet
Product: FortiVoice - Appliance (Web-Application) 5.0 (5.x) - FVE-20E2/4, 100E, 300E-T, 500E-T2, 1000E, 1000E-


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A filter bypass and multiple persistent cross site vulnerabilities has been discovered in the FortiVoice v5.x appliance web-application.
The application-side issue allows remote attackers to inject own malicious script codes on the application-side of the affected module.

The vulnerabilities are located in the `match pattern name` input fields of the `Outbound - Outbound - Dailed Number Match` and
`Call Features - Fax - Sending Rules - Dailed Number Match` modules. Local low privileged user accounts and remote attackers are
able to inject via POST method request own malicious script codes in the vulnerable modules. The attack vector of the issue is
persistent on the application-side. The injection point are the vulnerable input fields and the execution point occurs mainly in
the same web modules context.

The validation tries to encode strings on input interaction. To bypass the validation of the fortivoice appliance web-application,
it is required to insert a split char attack via input fields. Use for example %20%20 after that the validation stops and you can execute
an own payload.

The security risk of the application-side cross site web vulnerabilities are estimated as medium with a cvss (common vulnerability
scoring system) count of 3.6. Exploitation of the persistent input validation web vulnerability requires a low privileged
web-application user account but is not limited to and low or medium user interaction. Successful exploitation of the vulnerability
results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation
of affected or connected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Outbound - Outbound
[+] Call Features - Fax - Sending Rules

Vulnerable Parameter(s):
[+] name (match pattern)

Affected Module(s):
[+] Dailed Number Match


Proof of Concept (PoC):
=======================
The persistent cross site vulnerabilities can be exploited by remote attackers and low privileged web-application user accounts
with low or medium user interaction. For security demonstration or to reproduce the web vulnerability follow the provided
information and steps below to continue.


Vulnerable Location(s):
Outbound - Outbound - Dailed Number Match [Match Pattern - Name]
Call Features - Fax - Sending Rules - Dailed Number Match [Match Pattern - Name]


PoC: Outbound - Outbound - Dail Number Match [Match Pattern - Name]
<div class="x-clear"></div></div><div style="overflow: visible;" id="ext-gen14302" class="x-grid3-scroller">
<div id="ext-gen14303" class="x-grid3-body"><div id="ext-gen17482" class="x-grid3-row x-grid3-row-selected " style="width:570px;">
<table class="x-grid3-row-table" style="width:570px;" border="0" cellpadding="0" cellspacing="0">
<tbody><tr><td id="ext-gen23162" class="x-grid3-col x-grid3-cell x-grid3-td-pattern x-grid3-cell-first "
style="width:238px;" tabindex="0"><div id="ext-gen17483" class="x-grid3-cell-inner x-grid3-col-pattern" unselectable="on"
ext:qtip=""><[MALICIOUS INJECTED SCRIPT CODE EXECUTION!] id="ext-gen17484" src="a">%20>"<iframe>%20><img></div></td>
<td class="x-grid3-col x-grid3-cell x-grid3-td-strip " style="width:43px;" tabIndex="0" ><div class="x-grid3-cell-inner
x-grid3-col-strip" unselectable="on" >-152725276</div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-prefix "
style="width:43px;" tabIndex="0" ><div class="x-grid3-cell-inner x-grid3-col-prefix"
unselectable="on" >"><[MALICIOUS INJECTED SCRIPT CODE EXECUTION!]</div></td><td class="x-grid3-col x-grid3-cell
x-grid3-td-postfix x-grid3-cell-last " style="width:238px;" tabIndex="0" ><div class="x-grid3-cell-inner x-grid3-col-postfix"
unselectable="on" >"><[MALICIOUS INJECTED SCRIPT CODE EXECUTION!]</div></td></tr></tbody></table></div></iframe>
</div></td></tr></tbody></table></div></div>
<a style="left: -181px; top: 0px;" id="ext-gen14304" href="#" class="x-grid3-focus" tabindex="-1"></a></div></div>
<div id="ext-gen14306" class="x-grid3-resize-marker">&nbsp;</div><div id="ext-gen14307" class="x-grid3-resize-proxy">
&nbsp;</div></div></div></div></div></td></tr></tbody></table></div>
</div></div></td></tr></tbody></table></div></div></div></div></div></fieldset>


--- PoC Session Logs [POST] (Inject) ---
Status: 200[OK]
POST https://fortivoice.localhost:8000/module/admin.fe
Request Header:
Host[fortivoice.localhost:8000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[https://fortivoice.localhost:8000/admin/Admin.html]
Cookie[APSCOOKIE=Era%3D0%26Payload%3DBUDPevZ3vu6oNvnzczgUZUxDVECqaIRVjn889mdYzxdkD4%2FA45QQcLjmgW04i4Z3%0AS9YooynCQQOQN%2B
keLze0Uuzs7ouriyz3ovTUWG%2BunEkgcKq3rmUHQN8V7dCGtVt8%0AuozS%2FkWaWik%3D%0A%26AuthHash%3D%2BrcDoo1VkUf9oax9JWPQbA%3D%3D%0A]
Connection[keep-alive]
POST-Daten:
fewReq[:B:JVs5MjU6OXFmckxhaWZgdz5TcWxlV3FibXBvYndmXGBib29qZyVxZnJCYHdqbG0+MSVuaGZ6PiYxMSYwRiYwQGplcWJuZiYwRiYxNjEzJjBGJjExJjBAamVxYm5m
KHBxYCYwR2ImMEYoKCYxMSYwRiYwQGplcWJuZiYwRiYxNjEzJjBGJjExJjBAamVxYm5mKHBxYCYwR2ImMEYlYW9sYGhcYGJvb2ZxXGpnPndxdmY=]

--- PoC Session Logs [GET] (Execution) ---
Status: 200[OK]
GET https://fortivoice.localhost:8000/admin/x[PERSISTENT INJECTED SCRIPT CODE EXECUTION!]
Request Header:
Host[fortivoice.localhost:8000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[https://fortivoice.localhost:8000/admin/Admin.html]
Cookie[fmAdmSesCurUser=demo; APSCOOKIE=Era%3D0%26Payload%3DBUDPevZ3vu6oNvnzczgUZUxDVECqaIRVjn889mdYzxdkD4%2FA45QQcLjmgW04i4Z3%0AS9YooynCQQOQN
%2BkeLze0Uuzs7ouriyz3ovTUWG%2BunEkgcKq3rmUHQN8V7dCGtVt8%0AuozS%2FkWaWik%3D%0A%26AuthHash%3D%2BrcDoo1VkUf9oax9JWPQbA%3D%3D%0A]
Connection[keep-alive]


Reference(s):
https://fortivoice.localhost:8000/
https://fortivoice.localhost:8000/admin/
https://fortivoice.localhost:8000/module/admin.fe
https://fortivoice.localhost:8000/admin/Admin.html


Solution - Fix & Patch:
=======================
The vulnerabilities can be patched by a secure parse and encode of the vulnerable output location context in the affected modules.
Disallow the usage of special chars via restriction to prevent further script code injection attacks with application-side vector.
Encode the parameter inputs of the match pattern name in the two affected modules to finally fix the vulnerabilities.

Note: The vulnerability has been patched (FortiVoice v5.0.5 ) and the updates are available by automated download or
manual via fortinet customer center.


Security Risk:
==============
The security risk of the application-side input validation web vulnerabilities in the appliance web-application are estimated as medium. (CVSS 3.6)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

Copyright A(c) 2016 | Vulnerability Laboratory - [Evolution Security GmbH]aC/

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close