Fortinet Installer Client 5.6 DLL Hijacking

2018-01-03T00:00:00
ID PACKETSTORM:145625
Type packetstorm
Reporter Souhardya Sardar
Modified 2018-01-03T00:00:00

Description

                                        
                                            `Affected Product: Fortinet Installer Client 5.6 for Windows PC  
Credit: Souhardya Sardar and Rohit Bankoti   
Contact : github.com/Souhardya  
  
*Summary:*  
Fortinet Installer contains a privilege escalation vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system and gain elevated privileges. The vulnerability exists due to some DLL file is loaded by 'FortiClientOnlineInstaller.exe' improperly. And it allows an attacker to load this DLL file of the attacker as choosing that could execute arbitrary code without the user's knowledge.  
  
  
  
*Tested on*: Windows 7  
  
*Impact:*  
Attacker can exploit this vulnerability to load a DLL file of the  
attacker's choosing that could execute arbitrary code. This may help  
attacker to successfully exploit the system if user creates shell as a DLL.  
  
  
  
If an attacker places malicious DLL in the user's "Downloads" directory this vulnerability becomes a arbitrary code execution.  
  
*Proof of concept/demonstration*:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
1. Create a malicious 'dwmapi.dll' file and save it in your "Downloads" directory.  
  
2. Download 'FortiClientOnlineInstaller.exe' and save it in your "Downloads" directory.  
  
3. Execute .exe from your "Downloads" directory.  
  
4. Malicious dll file gets executed.  
  
  
Almost all executable installers (and self-extractors as well as "portable" applications too) for Windows have a well-known (trivial, trivial to detect and trivial to exploit) vulnerability: they load system DLLs from their "application directory" (or a temporary directory they extract their payload to) instead of "%SystemRoot%\System32\".  
  
  
| To ensure secure loading of libraries  
| * Use proper DLL search order.  
| * Always specify the fully qualified path when the library location  
~~~~~~  
| is constant.  
| * Load as data file when required.  
| * Make use of code signing infrastructure or AppLocker.  
  
  
  
`