Document Title:
===============
Fortigate UTM WAF Appliance - Multiple Vulnerabilities


References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=144

http://www.cnnvd.org.cn/vulnerability/show/cv_id/2012010446
ID: CNNVD-201201-446

http://www.fortiguard.com/advisory/FGA-2012-02.html
http://securitytracker.com/id/1026594
http://www.securityfocus.com/bid/51708/info
http://www.redoracle.eu/index.php?option=com_vuln&task=view&id=51708
http://www.sans.org/newsletters/risk/display.php?v=11&i=5&rss=Y#12.5.24
http://packetstormsecurity.org/files/109168/VL-144.txt
https://xforce.iss.net/xforce/xfdb/72761


Release Date:
=============
2012-01-26


Vulnerability Laboratory ID (VL-ID):
====================================
144


Common Vulnerability Scoring System:
====================================
6.1


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
3.000€ - 4.000€


Product & Service Introduction:
===============================
The FortiGate series of multi-threat security systems detect and eliminate the most damaging, content-based threats from email 
and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading 
network performance.

Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 series for large enterprises, service providers and 
carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC processors and other hardware to provide 
a comprehensive and high-performance array of security and networking functions including:

    * Firewall, VPN, and Traffic Shaping
    * Intrusion Prevention System (IPS)
    * Antivirus/Antispyware/Antimalware
    * Web Filtering
    * Antispam
    * Application Control (e.g., IM and P2P)
    * VoIP Support (H.323. and SCCP)
    * Layer 2/3 routing
    * Multiple WAN interface options

FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats - including 
complex attacks favored by cybercriminals - without degrading network availability and uptime. FortiGate platforms incorporate sophisticated 
networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM) 
capabilities to separate various networks requiring different security policies.

(Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate/ && http://www.avfirewalls.com/)


Abstract Advisory Information:
==============================
1.1
Vulnerability-Lab Team discovered multiple persistent Web Vulnerabilities on the FortiGate UTM Appliance Application.

1.2
Vulnerability-Lab Team discovered multiple non-persistent Web Vulnerabilities on the FortiGate UTM Appliance Application.


Vulnerability Disclosure Timeline:
==================================
2012-01-27:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Guest Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
1.1
Multiple input validation vulnerabilities(persistent) are detected on FortGate UTM Appliance Series. Remote attacker can include (persistent) 
malicious script code to manipulate specific customer/admin requests. The vulnerability allows an local low privileged attacker to  manipulate 
the appliance(application) via persistent script code inject. 

It is also possible to hijack customer sessions via persistent script code execution on application-side. Successful exploitation can also 
result in content/module request manipulation, execution of persistent malicious script code, session hijacking, account steal & phishing.


Vulnerable Module(s): (Persistent)
[+] Endpoint - Monitor - Endpoint Monitor
[+] Dailup List
[+] Log&Report - Display

Picture(s):
../ive2.png
../ive3.png


1.2
Multiple input validation vulnerabilities(non-persistent) are detected on FortGate UTM Appliance Series. The vulnerability allows remote 
attackers to hijack admin/customer sessions with required user inter action (client-side). Successful exploitation allows to phish user accounts,
redirect over client side requests or manipulate website context on client-side browser requests.

Vulnerable Module(s): (Non-Persistent)
[+] Endpoint - NAC - Application Database - Listings
[+] List field sorted

				
Picture(s):
../ive1.png


Interface - UTM WAF Web Application [Appliance]
FortiGate-5000 Series;FortiGate-3950 Series;FortiGate-3810A;FortiGate-3600A;FortiGate-3016B;FortiGate-1240B
FortiGate-800;FortiGate-620B;FortiGate-311B;FortiGate-310B;FortiGate-300A;FortiGate-224B;FortiGate-200B Series


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers with or without user inter action. For demonstration or reproduce  ...

1.1

Code Review: 	Log&Report =>Display	(Persistent)
Url: 		https://fortigate.com/log/display?log=clog&content_type=FTP ...

<div id="tableContainer">
<table id="contentBody" class="list" cellspacing="0" cellpadding="0" style="width:100%"><thead><tr class="heading"><th>#</th>
<th style="text-align:left;"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer; padding-left: 3px;" 
onclick="wij_display_modal_dlg('/log/display?log=clog&frame=filter&field_name=idate&content_type=FTP&device=2', { 'width': 610, 'height': 430 });"> 
Date</nobr></th><th style="text-align: left"><nobr>Time</nobr></th>
<th style="text-align:left;"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer; padding-left: 3px;" onclick="wij_display_modal_dlg
('/log/display?log=clog&frame=filter&field_name=pri&content_type=FTP&device=2', { 'width': 610, 'height': 430 });"> Level</nobr></th>
<th style="text-align:left;"><nobr><img src="/images/filter-green.gif" style="cursor: pointer; padding-left: 3px;" onmouseover="overlib('Equals<
br>"FTP"');" onmouseout="nd();" onclick="wij_display_modal_dlg('/log/display?log=clog&frame=filter&field_name=subtype&content_type=FTP
&device=2', { 'width': 610, 'height': 430 });"> Sub Type</nobr></th><th style="text-align:left;"><nobr><img src="/images/filter-grey.gif" style="cursor: 
pointer; padding-left: 3px;" onclick="wij_display_modal_dlg('/log/display?log=clog&frame=filter&field_name=log_id&content_type=FTP&device=2', { '
width': 610, 'height': 430 });"> ID</nobr></th><th style="text-align:left;"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer; 
padding-left: 3px;" onclick="wij_display_modal_dlg('/log/display?log=clog&frame=filter&field_name=client&content_type=FTP&device=2', { 'width': 
610, 'height': 430 });"> Source</nobr></th><th style="text-align:left;"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer; 
padding-left: 3px;" onclick="wij_display_modal_dlg('/log/display?log=clog&frame=filter&field_name=server&content_type=FTP&device=2', { '
width': 610, 'height': 430 });"> Destination</nobr></th>
<th style="text-align:left;"><nobr><img src="/images/filter-green.gif" style="cursor: pointer; padding-left: 3px;" onmouseover="overlib
('Equals<br>">"<<INCLUDED PERSISTENT SCRIPTCODE HERE!!!>>"<br>"
>"<<INCLUDED PERSISTENT SCRIPTCODE HERE!!!>>2"<br>');" onmouseout="nd();" onclick="wij_display_modal_dlg
('/log/display?log=clog&frame=filter&field_name=cstatus&content_type=FTP&device=2', { 'width': 610, 'height': 430 });"> Content Status</nobr></th>
<th style="text-align:left;"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer; padding-left: 3px;" onclick="wij_display_modal_dlg
('/log/display?log=clog&frame=filter&field_name=ftpcmd&content_type=FTP&device=2', { 'width': 610, 'height': 430 });"> FTP Command</nobr></th>
<th style="text-align:left;"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer; padding-left: 3px;" onclick="wij_display_modal_dlg
('/log/display?log=clog&frame=filter&field_name=file&content_type=FTP&device=2', { 'width': 610, 'height': 430 });"> File</nobr></th>
<th id="log_details_spacer" class="log_details_spacer"><div></div></th></tr>
</thead><tbody id="contentHead"></tbody></table></div>




Code Review: 	Dailup List		(Persistent)
Url: 		https://www.fortigate.com/vpn/tunnel/dialup?type=

<tr id='paging_row' class='dark' style='visibility:hidden'><td style='text-align:center' nowrap><form method="post" action="/vpn/tunnel/dialup">
<img id="page_first" class="list_button_disabled" src="/images/play_first.gif" title="First Page">
<img id="page_prev" class="list_button_disabled" src="/images/play_prev.gif" title="Previous Page">
<input id="page_current" name="page_current" type="text" size="4" maxlength="10" autocomplete="off" value="" style="vertical-align: 
middle" err_page_current="Please enter a valid page number." disabled>
<span style="vertical-align: middle"> / </span><span id="page_total" style="vertical-align:middle"></span>
<img id="page_next" class="list_button_disabled" src="/images/play_next.gif" title="Next Page">
<img id="page_last" class="list_button_disabled" src="/images/play_last.gif" title="Last Page">
<script type="text/javascript">setPaging(1, 6, 50, "/vpn/tunnel/dialup?type=1&start=1", "start", document, document);</script>
<span style="vertical-align:middle">[ <span style="text-decoration:underline; cursor:pointer" onclick="wij_display_modal_dlg
('/vpn/tunnel/dialup?type=1&start=1&fields=vpn_tunnel_fields&start=1', { 'width': 500, 'height': 420 });">Column Settings</span> ] [ 
<span style="text-decoration:underline; cursor:pointer" onclick="setCookie('vpn_tunnel_filter', ''); document.location.assign('/vpn/tunnel/dialup?type=1')
;">Clear All Filters</span> ]</span></form></td></tr><tr><td colspan="2">
<form name="display_list" method="post" action="/vpn/tunnel/dialup">
<table id="list" class="list" align="center" cellspacing="1" cellpadding="0">
<tbody id="list_body"><tr class="heading"><th class="field_name"><nobr>
<img src="/images/filter-grey.gif" style="cursor: pointer" onclick="wij_display_modal_dlg(setQueryValues('/vpn/tunnel/dialup?type=1&start=1&view_type=0&ipv6=0', 
['filterdlg', 'field_name'], ['1', 'name']), { 'width': 610 });"> <span>Name</span></nobr></th>
<th class="field_rgwy"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer" onclick="wij_display_modal_dlg(setQueryValues
('/vpn/tunnel/dialup?type=1&start=1&view_type=0&ipv6=0', ['filterdlg', 'field_name'], ['1', 'rgwy']), { 'width': 610 });"> <span>Remote Gateway
</span></nobr></th><th class="field_rport"><nobr>
<img src="/images/filter-grey.gif" style="cursor: pointer" onclick="wij_display_modal_dlg(setQueryValues('/vpn/tunnel/dialup?type=1&start=1&view_type=0&ipv6=0', 
['filterdlg', 'field_name'], ['1', 'rport']), { 'width': 610 });"> <span>Remote Port</span></nobr></th>
<th class="field_username"><nobr>
<img src="/images/filter-green.gif" style="cursor: pointer" onmouseover="overlib('Contains<br>
>"<<INCLUDED PERSISTENT SCRIPTCODE HERE!!!>><br>');" onmouseout="nd();" onclick="wij_display_modal_dlg(setQueryValues
('/vpn/tunnel/dialup?type=1&start=1&view_type=0&ipv6=0', ['filterdlg', 'field_name'], ['1', 'username']), { 'width': 610 });"> <span>Username</span></nobr></th>
<th class="field_expire"><nobr>
<img src="/images/filter-grey.gif" style="cursor: pointer" onclick="wij_display_modal_dlg(setQueryValues('/vpn/tunnel/dialup?type=1&start=1&view_type=0&ipv6=0', 
['filterdlg', 'field_name'], ['1', 'expire']), { 'width': 610 });"> <span>Timeout</span></nobr></th>
<th class="field_lid"><nobr>
<img src="/images/filter-grey.gif" style="cursor: pointer" onclick="wij_display_modal_dlg(setQueryValues('/vpn/tunnel/dialup?type=1&start=1&view_type=0&ipv6=0', 
['filterdlg', 'field_name'], ['1', 'lid']), { 'width': 610 });"> <span>Proxy ID Source</span></nobr></th>
<th class="field_rid"><nobr>
<img src="/images/filter-grey.gif" style="cursor: pointer" onclick="wij_display_modal_dlg(setQueryValues('/vpn/tunnel/dialup?type=1&start=1&view_type=0&ipv6=0', 
['filterdlg', 'field_name'], ['1', 'rid']), { 'width': 610 });"> <span>Proxy ID Destination</span></nobr></th>
<th class="field_status"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer" onclick="wij_display_modal_dlg(setQueryValues
('/vpn/tunnel/dialup?type=1&start=1&view_type=0&ipv6=0', ['filterdlg', 'field_name'], ['1', 'status']), { 'width': 610 });"> <span>Status</span></nobr></th>
</tr>



Code Review: 	Monitor =>Endpoint Monitor	(Persistent)
Url:		/endpointcompliance/monitor/eplist? 

<tr class="heading">
<th class="field_status"><span class="sort" onclick="doSort(['status'])">Compliant</span></th>
<th class="field_host_name"><nobr>
<img src="/images/filter-green.gif" style="cursor: pointer;" onmouseover="overlib('Equals<br>>"<INCLUDED PERSISTENT SCRIPTCODE HERE!!!><br>');" 
onmouseout="nd();" onclick="wij_display_modal_dlg(setQueryValues('/endpointcompliance/monitor/eplist?fields_sorted_opt=host_name&status_filter=2&
amp;view_type=0&ipv6=0', ['filterdlg', 'field_name'], ['1', 'host_name']), { 'width': 610 });"> <span class="sort_primary">Host Name</span></nobr></th>
<th class="field_ip_addr"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer;" onclick="wij_display_modal_dlg(setQueryValues
('/endpointcompliance/monitor/eplist?fields_sorted_opt=host_name&status_filter=2&view_type=0&ipv6=0', ['filterdlg', 'field_name'], 
['1', 'ip_addr']), { 'width': 610 });"> <span class="sort" onclick="doSort(['ip_addr'])">IP Address</span></nobr></th>
<th class="field_last_user"><nobr>
<img src="/images/filter-grey.gif" style="cursor: pointer;" onclick="wij_display_modal_dlg(setQueryValues('/endpointcompliance/monitor/
eplist?fields_sorted_opt=host_name&status_filter=2&view_type=0&ipv6=0', ['filterdlg', 'field_name'], ['1', 'last_user']), { 'width': 610 });"> 
<span class="sort" onclick="doSort(['last_user'])">User</span></nobr></th><th class="field_os_version"><nobr>
<img src="/images/filter-grey.gif" style="cursor: pointer;" onclick="wij_display_modal_dlg(setQueryValues('/endpointcompliance
/monitor/eplist?fields_sorted_opt=host_name&status_filter=2&view_type=0&ipv6=0', ['filterdlg', 'field_name'], ['1', 'os_version']), { 'width': 610 });
"> <span class="sort" onclick="doSort(['os_version'])">OS Version</span></nobr></th><th class="field_fct_version"><nobr>
<img src="/images/filter-grey.gif" style="cursor: pointer;" onclick="wij_display_modal_dlg(setQueryValues('/endpointcompliance/monitor/
eplist?fields_sorted_opt=host_name&status_filter=2&view_type=0&ipv6=0', ['filterdlg', 'field_name'], ['1', 'fct_version']), { 'width': 610 });"> 
<span class="sort" onclick="doSort(['fct_version'])">FortiClient Version</span></nobr></th><th class="field_av_version"><nobr>
<img src="/images/filter-grey.gif" style="cursor: pointer;" onclick="wij_display_modal_dlg(setQueryValues('/endpointcompliance/monitor/
eplist?fields_sorted_opt=host_name&status_filter=2&view_type=0&ipv6=0', ['filterdlg', 'field_name'], ['1', 'av_version']), { 'width': 610 });"> 
<span class="sort" onclick="doSort(['av_version'])">AV Signature</span></nobr></th>
<th class="field_apps_status"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer;" onclick="wij_display_modal_dlg(setQueryValues
('/endpointcompliance/monitor/eplist?fields_sorted_opt=host_name&status_filter=2&view_type=0&ipv6=0', ['filterdlg', 'field_name'], 
['1', 'apps_status']), { 'width': 610 });"> <span class="sort" onclick="doSort(['apps_status'])">Detected Applications</span></nobr></th>
<th class="field_traffic_vol_attempt"><nobr><img src="/images/filter-grey.gif" style="cursor: pointer;" onclick="wij_display_modal_dlg(setQueryValues
('/endpointcompliance/monitor/eplist?fields_sorted_opt=host_name&status_filter=2&view_type=0&ipv6=0', ['filterdlg', 'field_name'], ['1', '
traffic_vol_attempt']), { 'width': 610 });"> <span class="sort" onclick="doSort(['traffic_vol_attempt'])">Traffic Volume/Attempts</span></nobr></th>
</tr>



1.2

Type:		Non-Persistent
Module:		List field sorted
Url:		https://www.fortigate.com/user/auth/list?fields_sorted_opt=<INCLUDE NON-PERSISTENT SCRIPTCODE HERE!!!>


Type: 		Non-Persistent
Module:		Endpoint -> NAC -> Application Database -> Listings
Url:		https://www.fortigate.com/endpointcompliance/app_detect/predefined_sig_list?fields_sorted_opt=<INCLUDE NON-PERSISTENT SCRIPTCODE HERE!!!>




Code-Review: 	fields_sorted_opt

<script language="javascript">
var callback_handlers = [refreshPage, null];

function refreshPage() {
  refresh_page_absolute("/endpointcompliance/app_detect/predefined_sig_list?fields_sorted_opt=<INCLUDED NON-PERSISTENT SCRIPTCODE HERE!!!>");
}
function doSort(sort_field_array) 
{
    var SORT_REV_INDICATOR = '-';
    var old_sort_order_rev=0;
    var old_sort_col=$('fields_sorted_opt').value;
    var new_sort_col='';
    if (old_sort_col.substring(0,1) == SORT_REV_INDICATOR) 
    {
        old_sort_col = old_sort_col.substring(1);
        old_sort_order_rev = 1;
    }
    if (old_sort_col != sort_field_array[0] || !old_sort_order_rev)
    {
        new_sort_col = SORT_REV_INDICATOR + sort_field_array[0];
    }
    else
    {
        new_sort_col = sort_field_array[0];
    }
    var new_url = '/endpointcompliance/app_detect/predefined_sig_list?fields_sorted_opt=' + new_sort_col;
    document.location = new_url;
}
</script>
</html>



Reference(s):
		../dialup.htm
		../display.htm
		../eplist.htm
		../predefined_sig_list.htm


Solution - Fix & Patch:
=======================
1.1
To fix/patch the persistent input validation vulnerabilities restrict the input fields & parse the input.
Locate the vulnerable area(s) reproduce the bugs &  parse the output after a malicious(test) insert.
Setup a filter or restriction mask to prevent against future persistent input validation attacks.


1.2
To fix the client side input validation vulnerability parse the vulnerable request by filtering the input & cleanup the output.
Set a input restriction or configure whitelist/filter to stop client side requests and form a secure exception-handling around.



Solution by FortiGate:
Fortinet is working towards an updated firmware release to address the issues. This advisory will be updated once a fix schedule is in place. The following precautions are recommended:

Ensure all GUI sessions use encryption (via HTTPS);
Configure the FortiGate to only allow GUI admin access from trusted hosts or networks;
If administrative access to FortiGates is required from untrusted hosts, SSH access is recommended as SSH is not affected;
Refrain from administering FortiGate appliances from untrusted or shared computers.


Reference: http://www.fortiguard.com/advisory/FGA-2012-02.html


Security Risk:
==============
1.1
The security risk of the persistent vulnerabilities are estimated as high because of multiple persistent input validation vulnerabilities on different modules. 

1.2
The security risk of the non-persistent cross site requests are estimated as low because of required user inter-action to hijack a not expired session.


Credits & Authors:
==================
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory