Embed Size (px)
Citation preview
AVIS DE VULNÉRABILITÉ (HTTPS://SECURITE. INTRINSEC.COM/CATEGORY/AVIS-DE-VULNERABILITE/ ) OFFENSIF (HTTPS://SECURITE. INTRINSEC.COM/CATEGORY/OFFENSIF/ ) R&D (HTTPS://SECURITE. INTRINSEC.COM/CATEGORY/R_D/)
UN COMMENTAIRE (HTTPS://SECURITE. INTRINSEC.COM/2017/12/22/CVE-2017-7344-FORTINET-FORTICLIENT-WINDOWS-PRIVILEGE-ESCALATION-AT-LOGON/#COMMENTS)
CVE-2017-7344 Fortinet FortiClient Windows privilege escalation at logonC L É M E N T N O T I N ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / A U T H O R / C L E M E N T - N O T I N / ) 2 2 D É C E M B R E 2 0 1 7
SummaryEditor: Fortinet
Product: FortiClient
Title: Fortinet FortiClient Windows privilege escalation at logon
CVE ID: CVE-2017-7344 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7344)
Intrinsec ID: ISEC-V2017-01
Risk level: high
Exploitable: Locally, or remotely if the logon screen is exposed (e.g. through RDP without NLA required). Requires non-default con�guration on the client (« Enable VPN before
logon »). Requires an invalid certi�cate on the VPN endpoint side, or a MITM attacker presenting an invalid certi�cate (e.g. stolen laptop scenario).
Impact: Privilege escalation: from anonymous to SYSTEM, and Windows lock screen bypass
DescriptionThis vulnerability a�ects the Fortinet FortiClient program. FortiClient is a client program used to connect to SSL/IPsec VPN endpoints.
A setting, disabled by default, enables FortiClient on the logon screen to allow users to connect to a VPN pro�le before logon. An attacker, with physical, or remote (e.g. through TSE,
VNC…), access to a machine with FortiClient and this feature enabled, can obtain SYSTEM level privileges from the lock screen. No account or prior knowledge is required.
The vulnerability lies in the con�rmation dialog shown when the server certi�cate is not valid (e.g. default auto-signed certi�cate, or Man-In-The-Middle with SSL/TLS interception
situation).
Versions affectedFortiClient Windows 5.6.0
FortiClient Windows 5.4.3 and earlier
SolutionsUpgrade to FortiClient Windows 5.4.4 or 5.6.1.
However, we tested the latest version and we discovered some bypasses of the �x under certain circumstances. We have shared our �ndings with Fortinet who is working on a more
complete �x. We do not intend to share more details until this issue is �xed.
Enabling the « Do not warn invalid server certi�cate » option would prevent this issue but it is strongly discouraged since it allows silent Man-in-the-Middle attacks.
Deploying a valid certi�cate on the VPN endpoint mitigates the issue in standard situations, however when an attacker is in a MITM situation they will present an invalid certi�cate to
the FortiClient, regardless of the legitimate server certi�cate. This is not su�cient to resolve the issue.
CreditsVulnerability discovered by Clément Notin / @cnotin (https://twitter.com/cnotin).
Vulnerability disclosed in coordination with the CERT-Intrinsec.
(https://securite.intrinsec.com)
Exploitation details
Setup
Windows 7 Professional x64, English. FortiClient, vulnerable version:
Create VPN connection in FortiClient with a FortiGate endpoint (or try with any domain having an invalid certi�cate, such as expired.badssl.com):
Enable the “VPN before logon” setting in FortiClient:
Log o�. The computer is now in a vulnerable state.
Exploitation steps
On the logon screen, select the VPN pro�le and type any password for the user. If the certi�cate is invalid (default certi�cate on a legitimate FortiGate, MITM attack, usage of the IP
address of the endpoint instead of the hostname…), when connecting the con�rmation dialog will appear, then click on “View certi�cate”:
Go to “Details” tab then click on “Copy to �le”:
Click next until the screen with “Browse” button:
Browse to “C:\Windows\System32”, type a wildcard “*” in �lename to show every �les. Find cmd.exe, right click then click “Open”:
You get a shell with SYSTEM privileges:
The attacker can create a local administrator user account and use it to login:
External references
(http://twitter.com/intent/tweet?
text=CVE-
2017-
7344%20Fortinet%20FortiClient%20Windows%20privilege%20escalation%20at%20logon%20-
%20https%3A%2F%2Fsecurite.intrinsec.com%2F2017%2F12%2F22%2Fcve-
2017-
7344-
fortinet-
forticlient-
windows-
privilege-
escalation-
at-
logon%2F%20
)
(http://www.facebook.com/share.php?
u=https%3A%2F%2Fsecurite.intrinsec.com%2F2017%2F12%2F22%2Fcve-
2017-
7344-
fortinet-
forticlient-
windows-
privilege-
escalation-
at-
logon%2F&t=CVE-
2017-
7344%20Fortinet%20FortiClient%20Windows%20privilege%20escalation%20at%20logon)
(https://mail.google.com/mail/?
view=cm&fs=1&to&su=CVE-
2017-
7344%20Fortinet%20FortiClient%20Windows%20privilege%20escalation%20at%20logon&body=https%3A%2F%2Fsecurite.intrinsec.com%2F2017%2F12%2F22%2Fcve-
2017-
7344-
fortinet-
forticlient-
windows-
privilege-
escalation-
at-
logon%2F&ui=2&tf=1&shva=1)
(http://www.linkedin.com/shareArticle?
mini=true&url=https%3A%2F%2Fsecurite.intrinsec.com%2F2017%2F12%2F22%2Fcve-
2017-
7344-
fortinet-
forticlient-
windows-
privilege-
escalation-
at-
logon%2F&title=CVE-
2017-
7344%20Fortinet%20FortiClient%20Windows%20privilege%20escalation%20at%20logon&source=Intrinsec+Le+coin+des+experts+s%C3%A9curit%C3%A9&summary=
2017-
7344%0D%0A%0D%0AIntrinsec%20ID%3A%C2%A0ISEC-
V2017-
01%0D%0A%0D%0ARisk%20level%3A%20high%0D%0A%0D%0AExploitable%3A%20Locally%2C%20or%20remotely%20if%20the%20logon%20scre)
PARTAGER SUR
(//pinterest.com/pin/create/button/?url=https%3A%2F%2Fsecurite.intrinsec.com%2F2017%2F12%2F22%2Fcve-2017-7344-fortinet-forticlient-windows-privilege-
escalation-at-logon%2F&media=https%3A%2F%2Fsecurite.intrinsec.com%2Fwp-content%2Fuploads%2F2017%2F12%2Fforticlient-logo.png&description=CVE-2017-
7344+Fortinet+FortiClient+Windows+privilege+escalation+at+logon)
Tweet
(https://twitter.com/share)
Fortinet PSIRT Advisory: FG-IR-17-070 (https://fortiguard.com/psirt/FG-IR-17-070)
CERT-FR: CERTFR-2017-AVI-471 (https://www.cert.ssi.gouv.fr/avis/CERTFR-2017-AVI-471/)
SecurityFocus: BID 102176 (http://www.securityfocus.com/bid/102176)
Mitre: CVE-2017-7344 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7344)
History2017-02-27: Vulnerability discovery, advisory sent to Fortinet that acknowledges the reception.
2017-03-15: Intrinsec asks for status update
2017-05-04: Fortinet con�rms the vulnerability, assigns CVE-2017-7344 and plans the �x for the future 5.6 version.
2017-06-08: ETA for �xed versions set in June
2017-07-05: Intrinsec asks for status update
2017-07-11: Intrinsec discovers that FortiClient 5.6.0.1075, that was supposed to include the �x, is still vulnerable
2017-08-25: Fortinet clari�es the purpose of the �x and con�rms that it is incomplete. New ETA is set to end of September for FortiClient 5.6.1.
2017-12-07: Intrinsec asks for status update
2017-12-11: Fortinet is �nalizing the advisory and plans to publish it during the week
2017-12-13: Fortinet publishes the advisory
2017-12-13: Intrinsec advises against some proposed mitigations
2017-12-13: Fortinet updates the advisory
2017-12-18: Intrinsec �nds bypasses of the published �x and shares the details with Fortinet
2017-12-21: Fortinet con�rms the bypasses
2017-12-22: Intrinsec publishes its advisory with detailed explanations, with Fortinet’s approval
— Clément Notin
A D V I S O R Y ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / A D V I S O R Y / ) C V E ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / C V E / ) C V E - 2 0 1 7 - 7 3 4 4 ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / C V E - 2 0 1 7 - 7 3 4 4 / )
F O R T I C L I E N T ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / F O R T I C L I E N T / ) F O R T I N E T ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / F O R T I N E T / ) V U L N E R A B I L I T Y ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / V U L N E R A B I L I T Y / )
A R T I C L E P R É C É D E N T ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / 2 0 1 7 / 1 2 / 1 3 / B O T C O N F - 2 0 1 7 - J O U R - 3 / )
B O T C O N F 2 0 1 7 - T R O I S I È M E J O U R N É E ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / 2 0 1 7 / 1 2 / 1 3 / B O T C O N F - 2 0 1 7 - J O U R - 3 / )P A S D E N O U V E A U X A R T I C L E S
C L É M E N T N O T I N ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / A U T H O R / C L E M E N T - N O T I N / ) (//www.twitter.com/cnotin)
ART ICLES S IM ILA IRES
Recevez notre veille sécurité et les actualités d'Intrinsec (retours d'expériences, communications, ...)
Votre adresse mail
S'inscrire
UNE RÉPONSE
27 décembre 2017 (https://securite.intrinsec.com/2017/12/22/cve-2017-7344-fortinet-forticlient-windows-privilege-escalation-at-logon/#comment-9966)
Jesus Hack (http : / /s/n)Répondre (https://securite.intrinsec.com/2017/12/22/cve-2017-7344-fortinet-forticlient-windows-privilege-escalation-at-logon/?replytocom=9966#respond)
hi
i have a doubt
This vulnerability was aprove with SO Windows 8, 8.1 and 10 , or only with windows 7
ECRIRE UN COMMENTAIRE
Votre adresse e-mail ne sera pas publiée.
C O M M E N T A I R E
N O M *
E - M A I L *
S I T E W E B
E C R I R E U N C O M M E N T A I R E
NEWSLETTER
ARTICLES RÉCENTS
CVE-2017-7344 Fortinet FortiClient Windows privilege escalation at logon (https://securite.intrinsec.com/2017/12/22/cve-2017-7344-fortinet-forticlient-windows-privilege-
escalation-at-logon/)
Botconf 2017 – troisième journée (https://securite.intrinsec.com/2017/12/13/botconf-2017-jour-3/)
Botconf 2017 – deuxième journée (https://securite.intrinsec.com/2017/12/12/botconf-2017-jour-2/)
Botconf 2017 – première journée (https://securite.intrinsec.com/2017/12/11/botconf-2017-jour-1/)
Hack.lu 2017 (https://securite.intrinsec.com/2017/10/20/hack-lu-2017/)
A C T I V E D I R E C T O R Y ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / A C T I V E - D I R E C T O R Y / ) A L C A T E L ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / A L C A T E L / ) A N D R O I D ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / A N D R O I D / )
A P A C H E ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / A P A C H E / ) B R E I Z H C T F ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / B R E I Z H C T F / ) C E R T ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / C E R T / )
C L U S I R ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / C L U S I R / ) C O N F É R E N C E ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / C O N F E R E N C E / ) C T F ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / C T F / )
D O S ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / D O S / ) E S G I ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / E S G I / )
G E S T I O N D E V U L N É R A B I L I T É S ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / G E S T I O N - D E - V U L N E R A B I L I T E S / ) H A C K I N P A R I S ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / H A C K - I N - P A R I S / )
H A S H ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / H A S H / ) H I P ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / H I P / ) H T M L 5 ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / H T M L 5 / )
H T T P ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / H T T P / ) I N S O M N I ' H A C K ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / I N S O M N I H A C K / ) I P V 6 ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / I P V 6 / )
J S S I ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / J S S I / ) N D H 2 K 1 6 ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / N D H 2 K 1 6 / ) N D H 2 K 1 7 ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / N D H 2 K 1 7 / )
N O S U C H C O N ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / N O S U C H C O N / ) O S S I R ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / O S S I R / ) O U T I L S ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / O U T I L S / )
P A S S W O R D ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / P A S S W O R D / ) P E N T E S T ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / P E N T E S T / ) R A N S O M W A R E ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / R A N S O M W A R E / )
R E T O U R S D ' E X P É R I E N C E ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / R E T O U R S - D E X P E R I E N C E / ) R E V E R S E ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / R E V E R S E / )
R S S I T P ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / R S S I - T P / ) S E N S I B I L I S A T I O N ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / S E N S I B I L I S A T I O N / ) S O C ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / S O C / )
S S L ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / S S L / ) S S T I C ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / S S T I C / ) S T H A C K ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / S T H A C K / )
T A B L E A U D E B O R D ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / T A B L E A U - D E - B O R D / ) T A B L E A U X D E B O R D ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / T A B L E A U X - D E - B O R D / )
T A B L E A U X D E B O R D S É C U R I T É ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / T A B L E A U X - D E - B O R D - S E C U R I T E / ) T D B ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / T D B / )
T O I P ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / T O I P / ) V L A N ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / V L A N / ) V O I P ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / V O I P / )
W R I T E U P ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / W R I T E U P / ) X S S ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / T A G / X S S / )
Catégories Sélectionner une catégorie
Archives Sélectionner un mois
M E N T I O N S L É G A L E S ( H T T P S : / / S E C U R I T E . I N T R I N S E C . C O M / M E N T I O N S - L E G A L E S / )
MOTS CLEFS
CATÉGORIES
ARCHIVES
