Fortinet Client Installer 5.6 fltlib.DLL DLL Hijack Vuln

2018.01.03
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Affected Product: Fortinet Online Installer 5.6 Client for Windows PC Credit: Souhardya Sardar and Rohit Bankoti Contact : facebook.com/SouhardyaSardar.py *Summary:* Fortinet Client Installer 5.6 contains a dll hijack vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system and gain elevated privileges. The vulnerability exists due to some DLL file is loaded by 'FortiClientOnlineInstaller.exe' improperly. And it allows an attacker to load this DLL file of the attacker as choosing that could execute arbitrary code without the user's knowledge. *Tested on*: Windows 7 Ultimate 6.1.7601 Service Pack 1 Build 7601 *Impact:* Attacker can exploit this vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. This may help attacker to successfully exploit the system if user creates shell as a DLL. If an attacker places malicious DLL in the user's "Downloads" directory this vulnerability becomes a arbitrary code execution. *Proof of concept/demonstration*: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Create a malicious 'fltlib.DLL' file and save it in your "Downloads" directory. 2. Download 'FortiClientOnlineInstaller.exe' and save it in your "Downloads" directory. 3. Execute .exe from your "Downloads" directory. 4. Malicious dll file gets executed. Almost all executable installers (and self-extractors as well as "portable" applications too) for Windows have a well-known (trivial, trivial to detect and trivial to exploit) vulnerability: they load system DLLs from their "application directory" (or a temporary directory they extract their payload to) instead of "%SystemRoot%\System32\". | To ensure secure loading of libraries | * Use proper DLL search order. | * Always specify the fully qualified path when the library location ~~~~~~ | is constant. | * Load as data file when required. | * Make use of code signing infrastructure or AppLocker.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top