Fortinet FortiMail IBE Appliance Application Filter Bypass

2013-01-28T00:00:00
ID PACKETSTORM:119868
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2013-01-28T00:00:00

Description

                                        
                                            `Title:  
======  
Fortinet FortiMail 400 IBE - Multiple Web Vulnerabilities  
  
  
Date:  
=====  
2013-01-23  
  
  
References:  
===========  
http://www.vulnerability-lab.com/get_content.php?id=701  
  
  
VL-ID:  
=====  
701  
  
  
Common Vulnerability Scoring System:  
====================================  
7.1  
  
  
Introduction:  
=============  
The FortiMail family of appliances is a proven, powerful messaging security platform for any size organization,   
from small businesses to carriers, service providers, and large enterprises. Purpose-built for the most demanding   
messaging systems, the FortiMail appliances utilize Fortinet’s years of experience in protecting networks against   
spam, malware, and other message-borne threats.  
  
You can prevent your messaging system from becoming a threat delivery system with FortiMail. Its inbound filtering   
engine blocks spam and malware before it can clog your network and affect users. Its outbound inspection technology prevents   
outbound spam or malware (including 3G mobile traffic) from causing other antispam gateways to blacklist your users.  
  
Three deployment modes offer maximum versatility while minimizing infrastructure changes or service disruptions:   
transparent mode for seamless integration into existing networks with no changes to your existing mail server,   
gateway mode as a proxy MTA for existing messaging gateways, or full messaging server functionality for remote locations.   
FortiMail provides Identity-Based Encryption (IBE), in addition to S/MIME and TLS, as email encryption option to enforce   
policy-based encryption for secure content delivery. Furthermore, the FortiMail customizable and predefined dictionaries   
prevent accidental or intentional loss of confidential and regulated data.  
  
(Copy of the Vendor Homepage: http://www.fortinet.com/products/fortimail/ )  
  
  
Abstract:  
=========  
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in Fortinets FortiMail IBE 400Appliance Application.  
  
  
Report-Timeline:  
================  
2012-09-16: Researcher Notification & Coordination  
2012-09-18: Vendor Notification  
2012-10-08: Vendor Response/Feedback  
2012-**-**: Vendor Fix/Patch (NO RESPONSE BY PSIRT)  
2013-01-23: Public Disclosure  
  
  
Status:  
========  
Published  
  
  
Affected Products:  
==================  
Fortinet  
Product: FortiMail Appliance Series 400 IBE  
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
High  
  
  
Details:  
========  
An exception-handling and input filter bypass vulnerability is detected in the Fortinets FortiMail IBE Appliance Application 200D,400C, VM2K, 2000B and 5002B.  
  
The first vulnerability is located in the parse module with the bound vulnerable exception-handling and vulnerable effect on all input fields.   
The vulnerability allows an attacker to bypass the input parse routine by an implement of 2 close tags, which results in the   
execution of the secound injected script code with a space between.   
  
The secound vulnerability is located in the import/upload certificate module with the bound vulnerable certificate name and information parameters.  
An attacker can implement own certificates with script code in the malicious name and information values. After the upload the persistent code get   
executed out of the certificate listing main module.  
  
Successful exploitation of the vulnerabilities allows to hijack admin/customer sessions, can lead to information disclosure or result in stable  
manipulation of web context (persistent & non-persistent).  
  
Vulnerable Module(s):  
[+] Invalid - Exception Handling  
  
Vulnerable Parameter(s):  
[+] ipmask  
[+] username  
[+] address  
[+] url  
  
  
Proof of Concept:  
=================  
1.1  
The exception handling and filter bypass vulnerability can be exploited by remote attackers and local low privileged user account.  
For demonstration or reproduce ...   
  
  
Module: IPAddressMask - ext-mb-text, ext-gen4185 & ext-gen7196  
INJECT: https://127.0.0.1:1338/admin/FEAdmin.html#SysInterfaceCollection  
  
<div id="ext-gen4183"><div id="ext-gen4184" class="ext-mb-icon ext-mb-error"></div><div id="ext-gen7197"   
class="ext-mb-content"><span id="ext-gen4185" class="ext-mb-  
  
text">Error:IPAddressMask( 2 ) , IPAddressMask.cpp:14, "Invalid mask:"  
><iframe id="ext-gen7196" [PERSISTENT INJECTED SCRIPT CODE!];)" <="" "=""><[PERSISTENT   
  
INJECTED SCRIPT CODE!]") <"><[PERSISTENT INJECTED SCRIPT CODE!]") </0"</iframe></span>  
  
AFFECTED: https://127.0.0.1:1338/admin/FEAdmin.html#SysInterfaceCollection  
  
  
Module: Whitelist & Blacklist - Address  
URL: https://209.87.230.132:1443/admin/FEAdmin.html#PersonalBlackWhiteList  
  
<div id="ext-gen10562" class="ext-mb-content"><span id="ext-gen5714" class="ext-mb-text">  
Invalid address: "><[PERSISTENT INJECTED SCRIPT CODE!];)" <="" -=""   
  
"=""><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></span>  
  
AFFECTED: https://209.87.230.132:1443/admin/FEAdmin.html#SystemBlackWhiteList  
  
  
Module: Bounce Verification - Username  
URL: https://209.87.230.132:1443/admin/FEAdmin.html#AsBounceverifyKeyCollection  
  
<div id="ext-gen7197" class="ext-mb-content"><span id="ext-gen4185" class="ext-mb-text">  
Invalid user name: ""><iframe id="ext-gen19608" [PERSISTENT INJECTED SCRIPT   
  
CODE!];)" <="" "=""><[PERSISTENT INJECTED SCRIPT CODE!]") <"</iframe></span>  
  
  
  
1.2  
The persistent vulnerability can be exploited by remote attackers with privileged application account and   
low required user inter action. For demonstration or reproduce ...  
  
  
Module: Upload or Import - Local Certificate - Certificate name  
URL: https://209.87.230.132:1443/admin/FEAdmin.html#SysCertificateDetailCollection  
  
<div id="ext-gen38011" class="x-grid3-body"><div id="ext-gen38041" class="x-grid3-row x-grid3-row-selected " style="width: 1158px;">  
<table class="x-grid3-row-table"   
  
style="width: 1158px;" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td id="ext-gen38095" class="x-grid3-col x-grid3-cell   
x-grid3-td-mkey x-grid3-cell-first "   
  
style="width:248px;" tabindex="0"><div id="ext-gen38036" class="x-grid3-cell-inner x-grid3-col-mkey"   
unselectable="on">[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE NAME!]</div></td>  
<td class="x-grid3-col x-grid3-cell x-grid3-td-subject " style="width: 726px;" tabindex="0"><div id="ext-gen38068"   
class="x-grid3-cell-inner x-grid3-  
  
col-subject" unselectable="on">/[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE VIA INFORMATION!]</div></td>  
<td id="ext-gen38085"   
  
class="x-grid3-col x-grid3-cell x-grid3-td-status " style="width:148px;" tabindex="0"><div id="ext-gen38086" class="x-grid3-cell-inner   
x-grid3-col-status"   
  
unselectable="on">OK</div></td><td id="ext-gen38084" class="x-grid3-col x-grid3-cell x-grid3-td-isReferenced x-grid3-cell-last "   
style="width:28px;" tabindex="0"><div   
  
class="x-grid3-cell-inner x-grid3-col-isReferenced" unselectable="on"><img src="images/gray-ball.png" alt="0" align="absmiddle"   
  
border="0"></div></td></tr></tbody></table></div><div id="ext-gen38040" class="x-grid3-row x-grid3-row-alt " style="width: 1158px;">  
<table class="x-grid3-row-table"   
  
style="width: 1158px;" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td class="x-grid3-col x-grid3-cell x-grid3-td-mkey x-grid3-cell-first "   
  
style="width:248px;" tabindex="0"><div id="ext-gen38037" class="x-grid3-cell-inner x-grid3-col-mkey"   
unselectable="on">[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE NAME!]</div></td>  
<td class="x-grid3-col x-grid3-cell x-grid3-td-subject " style="width: 726px;" tabindex="0"><div id="ext-gen38039"   
class="x-grid3-cell-inner x-grid3-  
  
col-subject" unselectable="on">[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE VIA INFORMATION!]</div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-status "   
style="width:148px;" tabindex="0"><div   
  
id="ext-gen38102" class="x-grid3-cell-inner x-grid3-col-status" unselectable="on">Default</div></td><td id="ext-gen38101" class="x-grid3-col   
x-grid3-cell x-grid3-td-  
  
isReferenced x-grid3-cell-last " style="width:28px;" tabindex="0"><div id="ext-gen38083" class="x-grid3-cell-inner x-grid3-col-isReferenced"   
unselectable="on"><img   
  
id="ext-gen38100" src="images/red-ball.png" alt="1" align="absmiddle" border="0"></div></td></tr></tbody></table></div></div>  
  
  
  
Solution:  
=========  
1.1  
The exception-handling vulnerability can be fixed by parsing the full content without excluding after a close tag. Restrict the input fields to allowed chars.  
  
1.2  
The persistent vulnerability in the certificate import/upload module can be patched by parsing the certificate name and info input field.   
Do not forget to parse also the vulnerable output listing of the certificate name and cert information.  
  
  
Risk:  
=====  
The security risk of the of the exception-handling and input filter bypass vulnerability is estimated as high(-).  
  
  
Credits:  
========  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases   
or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register  
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com  
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.   
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other   
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and   
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),   
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.  
  
Copyright © 2012 | Vulnerability Laboratory  
  
--   
VULNERABILITY RESEARCH LABORATORY  
LABORATORY RESEARCH TEAM  
CONTACT: research@vulnerability-lab.com  
  
`