FortiManager Malicious Script Insertion

Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2016-08-04T00:00:00


                                            `Document Title:  
FortiManager (Series) - (Bookmark) Persistent Vulnerability  
References (Source):  
Fortinet PSIRT ID: 1624461  
Release Notes 1:  
Release Notes 2:  
Release Notes 3:  
Release Date:  
Vulnerability Laboratory ID (VL-ID):  
Common Vulnerability Scoring System:  
Product & Service Introduction:  
FortiManager appliances allow you to centrally manage any number of Fortinet devices, from several to thousands, including FortiGateA(r), FortiWiFiaC/,   
FortiCarrieraC/, FortiMailaC/ and FortiAnalyzeraC/ appliances and virtual appliances, as well as FortiClientaC/ endpoint security agents. You can further   
simplify control and management of large deployments by grouping devices and agents into administrative domains (ADOMs).  
The FortiManager family of management appliances provides centralized policy-based provisioning, device configuration, and update management for   
FortiGate, FortiWiFi, and FortiMail appliances, and FortiClient end-point security agents, plus end-to-end network monitoring and device control.   
FortiManager delivers a lower TCO for Fortinet implementations by minimizing both initial deployment costs and ongoing operating expenses. Control   
administrative access and simplify policy deployment using role-based administration to define user privileges for specific management domains and   
functions, and aggregating collections of Fortinet appliances and agents into independent management domains. In addition, by locally hosting security   
content updates for managed devices and agents, FortiManager appliances minimize Web filtering rating request response time and maximize network protection.  
(Copy of the Vendor Homepage: )  
Abstract Advisory Information:  
The Vulnerability Laboratory Core Research Team discovered a persistent web validation vulnerability in the official Fotinet FortiManager appliance product series.  
The issue affects the web-application of the appliance series and is present in the following fortimanager models - 200D, 300D, 1000D,   
3900E, 4000E, Virtual Appliances Version and FortiMoM-VM. The Fortimanager legacy models 100, 100C, 400A, 400B, 400C, 1000C, 3000C and 4000D are   
affected as well by the vulnerability.  
Persistent Web  
Vulnerability Disclosure Timeline:  
2016-01-25: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)  
2016-01-26: Vendor Notification (FortiGuard Security Team)  
2016-02-15: Vendor Response/Feedback (FortiGuard Security Team)  
2016-04-08: Vendor Fix/Patch (Fortinet Developer Team)  
2016-05-22: Vendor Fix/Patch (Fortinet Developer Team)  
2016-07-13: Security Bulletin (FortiGuard Security Team) [Acknowledgements]  
2016-08-04: Public Disclosure (Vulnerability Laboratory)  
Discovery Status:  
Affected Product(s):  
Product: FortiManager - Appliance (Web-Application) 200D, 300D, 1000D, 3900E, 4000E, Virtual Appliances Versio  
Product: FortiManager - Appliance (Web-Application) Legacy - 100, 100C, 400A, 400B, 400C, 1000C, 3000C & 4000  
Exploitation Technique:  
Severity Level:  
Technical Details & Description:  
A persistent and non-persistent input validation web vulnerability has been discovered in the official Fotinet FortiManager appliance product series.  
The vulnerability allows privileged guest user accounts and restricted user accounts to inject own malicious script codes on the application-side or   
client-side of the fortimanager appliance web-application series.  
The vulnerability is located in the `name and description` input fields of the vulnerable `Policy & Objects - Security Profiles - SSL VPN Portal` module.   
The request method to inject is POST to GET and the attack vector is located on the application-side of the appliance web-application. Remote attackers   
are able to inject own malicious script codes to the name and description input fields. After processing to add, the code bypasses the regular web filter   
of the appliance web-application and executes finally in the pre-defined bookmarks listing module above with the basic input. The vulnerability can be   
exploited by guest appliance user accounts with restricted access. The vulnerability first executes with client-side attack vector and becomes persistent   
with the save procedure by return.  
The security risk of the application-side and client-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8.   
Exploitation of the application-side web vulnerability requires a low privileged guest web-application user account and low user interaction. Successful exploitation   
of the vulnerability results in persistent phishing, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected   
or connected web module context.  
Request Method(s):  
[+] POST  
Vulnerable Module(s):  
[+] Policy & Objects - Security Profiles - SSL VPN Portal  
Vulnerable Parameter(s):  
[+] name  
[+] description  
Affected Module(s):  
[+] Predefined Bookmarks - [Create] Listing  
Affected Serie(s): FortiManager  
[+] FortiManager 200D  
[+] FortiManager 300D  
[+] FortiManager 1000D  
[+] FortiManager 3900E  
[+] FortiManager-4000E  
[+] FortiManager Virtual Appliances  
[+] FortiMoM-VM  
FortiManager Legacy Models  
[+] FortiManager 100  
[+] FortiManager 100C  
[+] FortiManager 400A  
[+] FortiManager 400B  
[+] FortiManager 400C  
[+] FortiManager 1000C  
[+] FortiManager 3000C  
[+] FortiManager 4000D  
Proof of Concept (PoC):  
The persistent input validation web vulnerability can be exploited by low privileged guest web-application user accounts with low user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.  
Manual steps to reproduce the vulnerability as guest user with restricted access privileges ...  
1. Login to the fortimanager appliance web-application as guest user  
2. Open the following section that is not restricted to guests mainly (http://fortimanager.localhost:8000/cgi-bin/module//sharedobjmanager/vpn/SOMVpnSSLPortalDialog)  
3. Click Security Profiles > SSL VPN Portal  
4. Now click the pre-defined Bookmarks button ahead to the listing  
5. Add your test payload to verify the issue in the Name and Description input field  
6. Save the entry  
7. The code executes in the Pre-Defined Bookmarks listing context in two locations  
8. Save the entry by return again  
9. Now you reopen the post to edit the pre-defined bookmarks  
10. A second execution of the payload occurs in the edit form next to the category entry  
11. Successful reproduce of the persistent vulnerability!  
PoC: Source #1 - Policy & Objects > Security Profiles > SSL VPN Portal > Predefined Bookmarks > [Create] Listing  
<tbody><tr class="heading"><th>Name</th><th>Type</th><th>Location</th><th>Description</th><th></th></tr>  
<tr class="bk-cate"><td style="text-align: left; padding-left: 20px;" colspan="5" class="bk-cate-expand">Bookmarks</td></tr>  
<tr class="bk-cate"><td style="text-align: left; padding-left: 20px;" colspan="5" class="bk-cate-expand">">  
<td>"><"<[PERSISTENT SCRIPT CODE EXECUTION!]>"</td><td>SSH</td><td>benjamin-km</td><td>[PERSISTENT SCRIPT CODE EXECUTION!]</td><td>  
<nobr><img src="/resource/images/edit.gif" onclick="edit_bookmark(this);"> <img src="/resource/images/delete.gif" onclick="del_bookmark(this);">  
PoC: Source #2 - Edit Form (Category)  
<div id="bAutoComplete" style="z-index:9001;"><input id="bkcate" name="bkcate" value=""><"<[PERSISTENT SCRIPT CODE EXECUTION!] sr"="" maxlength="35"   
style="position:static;background: url(/resource/images/tabOption.gif) center right no-repeat #FFF;"><div id='bContainer'></div></div></td></tr><tr>  
<td style='padding:3px;'>Name</td><td><input id='bkname' name='bkname' value=""><"<[PERSISTENT SCRIPT CODE EXECUTION!]" maxlength=35 ></td></tr><tr>  
<td style='padding:3px;'>Type</td><td><select id='bktype' name='bktype'><option value=9 >CITRIX</option><option value=4 >FTP</option><option value=1 >  
HTTP/HTTPS</option><option value=11 >Port Forward</option><option value=8 >RDP</option><option value=10 >RDP NATIVE</option><option value=6 >SMB/CIFS  
</option><option value=3 selected>SSH</option><option value=2 >Telnet</option><option value=7 >VNC</option></select></td></tr><tr><td style='padding:3px;'>  
Location</td><td><input id='bkloc' name='bkloc' value="benjamin-km" maxlength=128></td></tr><tr id='tr_rport'><td style='padding:3px;'>Remote Port</td><td>  
<input id='bkrport' name='bkrport' value="0" maxlength=5></td></tr><tr id='tr_lport'><td style='padding:3px;'>Listening Port</td><td>  
<input id='bklport' name='bklport' value="0" maxlength=5></td></tr><tr id='tr_sw'><td style='padding:3px;'>Screen Width</td><td><input id='bksw'   
name='bksw' value="1024" maxlength=4></td></tr><tr id='tr_sh'><td style='padding:3px;'>Screen Height</td><td><input id='bksh' name='bksh' value="768"  
maxlength=4></td></tr><tr id='tr_usr'><td style='padding:3px;'>Logon User</td><td><input id='bkusr' name='bkusr' value="" maxlength=35></td></tr>  
<tr id='tr_pswd'><td style='padding:3px;'>Password</td><td><input id='bkpswd' name='bkpswd' type='password' value=""><input id='bkpswdflag' name='bkpswdflag'   
type='hidden' value=0></td></tr><tr id='tr_kbd'><td style='padding:3px;'>Keyboard Layout</td><td><select id='bkkbd' name='bkkbd'><option value=0 >Arabic</option>  
<option value=1 >Danish</option><option value=2 >German</option><option value=3 >German, Switzerland</option><option value=4 >English, Great Britain</option>  
<option value=5 >English, United Kingdom</option><option value=6 selected>English, US</option><option value=7 >Spanish</option><option value=8 >Finnish</option>  
<option value=9 >French</option><option value=10 >French, Belgium</option><option value=11 >French, Canada</option><option value=12 >French, Switzerland</option>  
<option value=13 >Croatian</option><option value=14 >Hungarian</option><option value=15 >Italian</option><option value=16 >Japanese</option><option value=17 >  
Lithuanian</option><option value=18 >Latvian</option><option value=19 >Macedonian</option><option value=20 >Norwegian</option><option value=21 >Polish</option>  
<option value=22 >Portuguese</option><option value=23 >Portuguese, Brazil</option><option value=24 >Russian</option><option value=25 >Slovenian</option>  
<option value=26 >Swedish</option><option value=27 >Turkmen</option><option value=28 >Turkish</option><option value=29 >French, Canadian Multilingual</option>  
<option value=30 >Windows Generic Keyboard</option></select></td></tr><tr><td style='padding:3px;'>Description</td><td><input id='bkdesc' name='bkdesc' value="">  
<"<[PERSISTENT SCRIPT CODE EXECUTION!]>" maxlength=128></td></tr><tr id='tr_fsm'><td style='padding:3px;'>Full Screen Mode</td><td><input id='bkfsm'   
name='bkfsm' type='checkbox' value=1 checked></td></tr><tr id='tr_disp'><td style='padding:3px;'>Display Status</td><td><input id='bkdisp' name='bkdisp'   
type='checkbox' value=1 checked></td></tr><tr id='tr_sso'><td style='padding:3px;'>SSO</td><td><select id='bksso' name='bksso'><option value=0 selected>Disabled</option>  
<option value=1 >Static</option><option value=2 >AUTO</option></select></td></tr><tr id='tr_value_form'><td style='padding:3px;' colspan='2'><table id='bookmark-form-data'   
style='width:100%;'><thead style='font-weight:bold;'><tr><th style='width:144px;'>Field Name</th><th><span style='width:144px;display:inline-block;'>Value</span><input   
id='add_fv_row' type='button' value='Add' style='width:70px;'></th></tr></thead><tbody id='fv_tbody'></tbody></table></tr></table></form></iframe></div>  
--- PoC Session Logs [GET] (Execution) ---  
Status: 200[OK]  
GET http://fortimanager.localhost:8000/cgi-bin/module//sharedobjmanager/vpn/x[PERSISTENT SCRIPT CODE EXECUTION!]  
Mime Type[text/html]  
Request Header:  
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]  
Cookie[remoteauth=1; forRevert=0; vmConfirm=1; tabPosition=; showSlave=1; add_dev_later=; auth_state=; CURRENT_SESSION=9X3lvcNst3VYkYtkLWMkgMagWkS+Qmdk38eDLl1jE+ZNJ7Dw  
/9EQlVtauZ98+4+nN5aOe5ixbZGoE/sIrlNbRQ==; MCP_VIEW_MODE=sectview; csrftoken=ea5a7a467e8cabdfe640cd475183d2a5]  
Response Header:  
Date[Tue, 26 Jan 2016 12:48:10 GMT]  
Status: 200[OK]GET http://fortimanager.localhost:8000/cgi-bin/module//sharedobjmanager/vpn/a[PERSISTENT SCRIPT CODE EXECUTION!]  
Mime Type[text/html]  
Request Header:  
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]  
Cookie[remoteauth=1; forRevert=0; vmConfirm=1; tabPosition=; showSlave=1; add_dev_later=; auth_state=; CURRENT_SESSION=9X3lvcNst3VYkYtkLWMkgMagWkS+Qmdk38eDLl1jE+  
ZNJ7Dw/9EQlVtauZ98+4+nN5aOe5ixbZGoE/sIrlNbRQ==; MCP_VIEW_MODE=sectview; csrftoken=ea5a7a467e8cabdfe640cd475183d2a5]  
Response Header:  
Date[Tue, 26 Jan 2016 12:48:10 GMT]  
Solution - Fix & Patch:  
Updates are available for customers in the fortinet customer area or via automated appliance update.  
5.0.12 (FMG)   
5.0.13 (FAZ)  
Security Risk:  
The security risk of the persistent input validation web vulnerability in the fortimanager web-application is estimated as medium. (CVSS 3.8)  
Credits & Authors:  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ( []  
Disclaimer & Information:  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed   
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable   
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab   
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for   
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,   
policies, deface websites, hack into databases or trade with fraud/stolen material.  
Domains: - -  
Contact: - -  
Section: - -  
Social:!/vuln_lab - -  
Feeds: - -  
Programs: - -  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to   
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website   
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact   
( or to get a permission.  
Copyright A(c) 2016 | Vulnerability Laboratory - [Evolution Security GmbH]aC/