Fortinet FortiClient Bugs Let Local Users View Memory Contents, Modify the Registry, and Execute Arbitrary Code
SecurityTracker Alert ID: 1033439|
SecurityTracker URL: http://securitytracker.com/id/1033439
CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737
(Links to External Site)
Date: Sep 1 2015
Disclosure of system information, Execution of arbitrary code via local system, Modification of system information, User access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 220.127.116.113; possibly other versions|
Several vulnerabilities were reported in Fortinet FortiClient. A local user can obtain elevated privileges on the target system. A local user can obtain potentially sensitive information from system memory. A local user can modify the configuration.|
A local user can supply a specially crafted IOCTL call to exploit a flaw in the 'mdare64_48.sys', 'mdare32_48.sys', mdare32_52.sys', and 'mdare64_52.sys' drivers and obtain potentially sensitive information from system memory on the target system [CVE-2015-4077].
A local user can supply a specially crafted IOCTL call to exploit a flaw in the 'mdare64_48.sys', 'mdare32_48.sys', 'mdare32_52.sys', and 'mdare64_52.sys' drivers to write to arbitrary memory locations [CVE-2015-5735].
A local user can supply a specially crafted IOCTL call to exploit a callback access control flaw in 'Fortishield.sys' to execute arbitrary code with kernel level privileges [CVE-2015-5736].
A local user can supply a specially crafted IOCTL call to exploit an APIaccess control flaw and modify the Windows Registry or control processes on the target system [CVE-2015-5737].
The vendor was notified on June 25, 2015.
The original advisory is available at:
Enrique Nissim from Core Security's Consulting Team reported this vulnerability.
A local user can obtain kernel-level privileges on the target system.|
A local user can obtain potentially sensitive information from system memory on the target system.
A local user can modify the configuration on the target system.
The vendor has issued a fix (5.2.4.0650).|
[Editor's note: No vendor advisory was publicly available at the time of this entry.]
Vendor URL: www.fortinet.com/ (Links to External Site)
Access control error, Boundary error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities|
1. Advisory Information
Title: FortiClient Antivirus Multiple Vulnerabilities
Advisory ID: CORE-2015-0013
Advisory URL: http://www.coresecurity.com/advisories/forticlient-antiviru=
Date published: 2015-09-01
Date of last update: 2015-09-01
Vendors contacted: Fortinet
Release mode: Coordinated release
2. Vulnerability Information
Class: Information Exposure [CWE-200], Write-what-where Condition [CWE-12=
3], Exposed Dangerous Method or Function [CWE-749], Exposed IOCTL with In=
sufficient Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737
3. Vulnerability Description
Fortinet FortiClient  extends the power of FortiGate's Unified threat =
management to endpoints on your network. Desktops, laptops, tablets and s=
martphones, FortiClient enables every device - local or remote, stationar=
y or mobile - to integrate with your FortiGate. With no per-seat license =
fees, FortiClient takes the headaches out of managing multiple endpoints =
so your users and guests can work efficiently anywhere, without compromis=
ing your security.
FortiClient drivers are prone to multiple attacks and expose a wide surfa=
ce that allows users to easily get SYSTEM privileges.
4. Vulnerable packages
Other versions may probably be affected too, but they were not checked.
5. Vendor Information, Solutions and Workarounds
Fortinet released an updated version of FortiClient 5.2.4.0650  that f=
ixes the reported issues.
These vulnerabilities were discovered and researched by Enrique Nissim fr=
om Core Security's Consulting Team. The publication of this advisory was =
coordinated by Joaqu=C3=ADn Rodr=C3=ADguez Varela from Core Security's Ad=
7. Technical Description / Proof of Concept Code
[CVE-2015-4077] The vulnerability lies in the drivers "mdare64_48.sys", "=
mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". By using the IOCT=
L 0x22608C with the proper parameters, an attacker is able to read arbitr=
ary memory content from kernelspace.
[CVE-2015-5735] The vulnerability lies in the drivers "mdare64_48.sys", "=
mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". By using the IOCT=
L 0x226108, the attacker is able to call ZwEnumerateValueKey and write it=
s output to an arbitrary memory location.
[CVE-2015-5736] The vulnerability lies in "Fortishield.sys", which is a m=
inifilter filesystem driver that hooks filesystem operations. IOCTL 0x220=
024 and 0x220028 both allow establishing callbacks that will be called du=
ring any IRP_MJ_WRITE and IRP_MJ_SET_INFORMATION, respectively. Consequen=
tly, any user in the system can set an arbitrary function as a callback a=
nd execute code with kernel privileges.
[CVE-2015-5737] The vulnerability lies in the drivers "mdare64_48.sys", "=
mdare32_48.sys", "mdare32_52.sys", "mdare64_52.sys" and "Fortishield.sys"=
. All of these drivers expose an API to manage processes and the Windows =
registry. For instance, the IOCTL 0x2220c8 of the "mdareXX_XX.sys" driver=
returns a full privileged handle to a given process PID. This same funct=
ion is replicated inside "Fortishield.sys".
8. Report Timeline
2015-06-25: Core Security notified Fortinet of the vulnerabilities. Publi=
cation date set for July 27th, 2015.
2015-06-30: Fortinet replied that they received Core Security's email and=
that they would like to receive the draft version of the advisory.
2015-07-01: Core Security sent Fortinet the draft version of the advisory=
and requested a tentative schedule for releasing the updates.
2015-07-01: Fortinet replied that they received the draft version of the =
advisory and that they would review it.
2015-07-15: Core Security requested an update from Fortinet regarding the=
reported vulnerabilities and a tentative schedule.
2015-07-19: Fortinet replied and confirmed the reported bugs, but stated =
that they were only able to trigger them with administrative privileges. =
They requested a PoC from Core Security.
2015-07-20: Core Security replied, explaining to Fortinet that they were =
able to trigger the vulnerabilities as a non-privileged user. They sent F=
ortinet a PoC code that opens a handle with read/write permissions to LSA=
SS process and then uses it to allocate memory in its virtual address spa=
2015-07-20: Fortinet replied that they would review the PoC.
2015-07-20: Fortinet asked if Core Security researchers could review an i=
nterim build when available.
2015-07-21: Core Security confirmed that they would be willing to review =
an interim build when available.
2015-08-03: Core Security requested an update from Fortinet regarding the=
availability of the interim build, and asked if there was a specific dat=
e Fortinet was planning to release the fix.
2015-08-04: Fortinet replied that their current release date was August 1=
2015-08-05: Fortinet updated the schedule, explaining that the interim bu=
ild wouldn't include the MDARE fixes therefore delaying the release until=
the end of August.
2015-08-07: Core Security asked Fortinet if the interim build was going t=
o be published by Fortinet, because if so, that would force Core Security=
to publish their findings as well. If that wasn't the case, Core Securit=
y recommended publishing everything together later that month.
2015-08-07: Fortinet replied that the interim build was private and there=
fore there wasn't a need to publish ahead of schedule.
2015-08-10: Fortinet sent Core Security a link to download the interim bu=
ild and requested feedback.
2015-08-10: Core Security replied that they received and downloaded the i=
nterim build and would send feedback. Additionally, Core Security request=
ed an updated ETA.
2015-08-18: Core Security requested the specific date Fortinet would rele=
ase the patched version of their product so they could schedule their sec=
urity advisory publication accordingly.
2015-08-20: Core Security again requested for a specific date for the pub=
lication of the updates and informed Fortinet them that if they didn't re=
ceive and answer in the following days they would be forced to schedule t=
he advisory publication.
2015-08-20: Fortinet replied that the scheduled release date for the upda=
ted version of FortiClient was August 31. They asked if they had an oppor=
tunity to review the interim build andif they had any feedback.
2015-08-24: Core Security replied that they were able to review the inter=
im build and that they could confirm that those bugs were no longer explo=
itable.Core Security requested and updated ETA of the updated version.
2015-08-24: Fortinet replied that the scheduled release seemed to be conf=
irmed and that the estimated time of availability would be roughly 5 p.m.=
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipat=
ing the future needs and requirements for information security technologi=
es. We conduct our research in several important areas of computer securi=
ty including system vulnerabilities, cyber attack planning and simulation=
, source code auditing, and cryptography. Our results include problem for=
malization, identification of vulnerabilities, novel solutions and protot=
ypes for new technologies. CoreLabs regularly publishes security advisori=
es, technical papers, project information and shared software tools for p=
ublic use at: http://corelabs.coresecurity.com.
11. About Core Security
Core Security enables organizations to get ahead of threats with security=
test and measurement solutions that continuously identify and demonstrat=
e real-world exposures to their most critical assets. Our customers gain =
real visibility into their security standing, real validation of their se=
curity controls, and real metrics to more effectively secure their organi=
Core Security's software solutions build on over a decade of trusted rese=
arch and leading threat expertise from the company's Security Consulting =
Services, CoreLabs and Engineering groups. Core Security can be reached a=
t +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2014 Core Security and (c=
) 2014 CoreLabs, and are licensed under a Creative Commons Attribution No=
n-Commercial Share-Alike 3.0 (United States) License: http://creativecomm=
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisorie=
s team, which is available for download at http://www.coresecurity.com/fi=
Go to the Top of This SecurityTracker Archive Page