SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Firewall)  >   Fortinet FortiGate/FortiOS Vendors:   Fortinet
FortiGate Firewall Admin Interface Input Validation Flaw Permits Remote Cross-Site Scripting Attacks Against Administrators
SecurityTracker Alert ID:  1008158
SecurityTracker URL:  http://securitytracker.com/id/1008158
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 12 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.50 maintenance release 4; Tested on FortiGate 60
Description:   Maarten Hartsuijker reported two vulnerabilities in the FortiGate firewall in the device's web interface. A remote user can conduct cross-site scripting attacks against the firewall administrator to obtain the administrator's hashed password.

It is reported that the firewall does not validate user-supplied URLs on the administrative interface to remove HTML code before displaying information based on the user-supplied URL.

A remote user can create a specially crafted URL that, when loaded by a target administrator, will cause arbitrary scripting code to be executed by the target administrator's browser. The code will originate from the FortiGate device and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), associated with the firewall device, access data recently submitted by the target user via web form to the administrative interface, or take actions on the interface acting as the target administrator.

Some demonstration exploit URLs are provided:

https://172.16.1.254/firewall/policy/dlg?q=-1&fzone=t<script>alert('oops')</script>>&tzone=dmz
https://172.16.1.254/firewall/policy/policy?fzone=internal&tzone=dmz1<script>alert('oops')</script>
https://172.16.1.254/antispam/listdel?file=blacklist&name=b<script>alert('oops')</script>&startline=0
https://172.16.1.254/antispam/listdel?file=whitelist&name=a<script>alert('oops')</script>&startline=0(naturally)
http://172.16.1.254/theme1/selector?button=status,monitor,session"><script>alert('oops')</script>&button_url=/system/status/status,/
http://172.16.1.254/theme1/selector?button=status,monitor,session&button_url=/system/status/status"><script>alert('oops')</script>,/
http://172.16.1.254/theme1/selector?button=status,monitor,session&button_url=/system/status/status,/system/status/moniter"><script>alert('
http://172.16.1.254/theme1/selector?button=status,monitor,session&button_url=/system/status/status,/system/status/moniter,/system/status/session&quo&;

It is also reported that the username and MD5 hash of the user's password are stored in cookie. As a result, the cross-site scripting flaw described above can indeed be used to obtain the administrator's authentication credentials. An example of the cookie format is shown in the Source Message.

[Editor's note: The existence of these issues was previously mentioned in Alert ID 1007872 in October 2003, but the nature of the issues was not disclosed at that time.]

Impact:   A remote user can access the target administrator's cookies (including authentication cookies) associated with the FortiGate firewall, access data recently submitted by the target administrator via web form to the firewall, or take actions on the firewall acting as the target administrator.
Solution:   The vendor has reportedly issued a fix for Fortinet OS (2.50 MR5), available via FTP as of November 5, 2003.
Vendor URL:  www.fortinet.com/products/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  vulnerabilities in fortigate webinterface


NOTE: related to SecurityTracker Alert ID:  1007872

Issue:       Several vulnerabilities in web interface of Fortigate firewall
of which the most serious one will allow a remote attacker to obtain a
username and password of the Fortigate.
Release:   pre 2.50 maintenance release 4
According to vendor, fixed in:
                Issue 3           - Fortinet OS 2.50 MR4, available from FTP
as of 29 Sept. 2003
                Issue 1 and 2  - Fortinet OS 2.50 MR5, available from FTP as
of 05 Nov. 2003
Date:       12/Nov/2003
Vendor first notified: 14/sept/2003
Related advisories: Advisory posted on issue 3 a month ago.

=================================================
I have just finished testing your Fortigate 60 and would like to inform you
about some security vulnerabilities I noticed in the web interface of this
product. The most serious one will under special circumstances allow a
remote attacker to obtain a username and password of the Fortigate.

Discovered vulnerabilities:
1. Improper input validation.
2. Username and MD5 hash of password are stored in cookie.
3. Web filter log parses unfiltered session details.

Improper input validation
==================
The variables from several URL's are parsed in the HTML code of the
resulting web page. However, the variables are not sanitized before they are
used. Therefore, they can be used to inject code into the admin interface.

The examples below show you an simple alert box, but this could just as well
be used to:
-          Steel the cookie of the user that is logged in
-          Include (for instance) the Cisco homepage into the website that
is displayed after clicking the URL.
Besides, improper input validation is also a very good starting point for
other types of attacks.

https://172.16.1.254/firewall/policy/dlg?q=-1&fzone=t<script>alert('oops')</script>>&tzone=dmz

https://172.16.1.254/firewall/policy/policy?fzone=internal&tzone=dmz1<script>alert('oops')</script>
https://172.16.1.254/antispam/listdel?file=blacklist&name=b<script>alert('oops')</script>&startline=0
https://172.16.1.254/antispam/listdel?file=whitelist&name=a<script>alert('oops')</script>&startline=0(naturally)
http://172.16.1.254/theme1/selector?button=status,monitor,session"><script>alert('oops')</script>&button_url=/system/status/status,/system/status/moniter,/system/status/session
http://172.16.1.254/theme1/selector?button=status,monitor,session&button_url=/system/status/status"><script>alert('oops')</script>,/system/status/moniter,/system/status/session
http://172.16.1.254/theme1/selector?button=status,monitor,session&button_url=/system/status/status,/system/status/moniter"><script>alert('oops')</script>,/system/status/session
http://172.16.1.254/theme1/selector?button=status,monitor,session&button_url=/system/status/status,/system/status/moniter,/system/status/session"><script>alert('oops')</script>

Username and MD5 hash of password are stored in cookie
==========================================
The username and MD5 hash of the password are stored in a cookie like the
one below. When combining this knowledge with the previously found XSS
vulnerabilities, a remote attacker can trick an administrator into revealing
his credentials.

cookie=APSCOOKIE=1063444738
%2615
%26FGT-602803043728
%26maarten
%26vsys0
%26$1$2a05ca7c$nU7W6SI.7L5ncc7tfZZ7D
The password hash is recognized as FreeBSD, MD5 (probably the base OS of the
firewall).

Web filter log parses unfiltered session details
=================================
After the web filter has been enabled, the administrator has the ability to
review the web filter logs via the web interface. The web filter logs
contain the URL that has been denied by the filter. Because of the fact that
unwanted characters are not stripped from the denied URL, a remote attacker
is able to gain the username and MD5 hash of the password, as soon as the
administrator reviews the logs.

An example:
Pages with the keyword "mp3-download" are denied by the web filter. The page
http://192.168.5.11/maarten.html contains such a keyword. A remote attacker
could poison the log files by retrieving
http://192.168.5.11/maarten.html<script>alert('oops')</script>a

When altering the script a bit, the user credentials could easily be
forwarded to the attacker, who could then use these credentials to alter the
firewall if the administrator has not properly secured access to
HTTPS/SSH/TELNET/HTTP.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC