Lucene search
K

Fortinet Installer Client 5.6 DLL Hijacking

🗓️ 03 Jan 2018 00:00:00Reported by Souhardya SardarType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 37 Views

Fortinet Installer Client 5.6 DLL Hijacking privilege escalation vulnerability on Windows

Code
`Affected Product: Fortinet Installer Client 5.6 for Windows PC  
Credit: Souhardya Sardar and Rohit Bankoti   
Contact : github.com/Souhardya  
  
*Summary:*  
Fortinet Installer contains a privilege escalation vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system and gain elevated privileges. The vulnerability exists due to some DLL file is loaded by 'FortiClientOnlineInstaller.exe' improperly. And it allows an attacker to load this DLL file of the attacker as choosing that could execute arbitrary code without the user's knowledge.  
  
  
  
*Tested on*: Windows 7  
  
*Impact:*  
Attacker can exploit this vulnerability to load a DLL file of the  
attacker's choosing that could execute arbitrary code. This may help  
attacker to successfully exploit the system if user creates shell as a DLL.  
  
  
  
If an attacker places malicious DLL in the user's "Downloads" directory this vulnerability becomes a arbitrary code execution.  
  
*Proof of concept/demonstration*:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
1. Create a malicious 'dwmapi.dll' file and save it in your "Downloads" directory.  
  
2. Download 'FortiClientOnlineInstaller.exe' and save it in your "Downloads" directory.  
  
3. Execute .exe from your "Downloads" directory.  
  
4. Malicious dll file gets executed.  
  
  
Almost all executable installers (and self-extractors as well as "portable" applications too) for Windows have a well-known (trivial, trivial to detect and trivial to exploit) vulnerability: they load system DLLs from their "application directory" (or a temporary directory they extract their payload to) instead of "%SystemRoot%\System32\".  
  
  
| To ensure secure loading of libraries  
| * Use proper DLL search order.  
| * Always specify the fully qualified path when the library location  
~~~~~~  
| is constant.  
| * Load as data file when required.  
| * Make use of code signing infrastructure or AppLocker.  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation