[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities

To: <fulldisclosure@xxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [FD] [CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities
From: CORE Advisories Team <advisories@xxxxxxxxxxxxxxxx>
Date: Tue, 1 Sep 2015 13:56:33 -0300
1. Advisory Information

Title: FortiClient Antivirus Multiple Vulnerabilities
Advisory ID: CORE-2015-0013
Advisory URL: 
http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities
Date published: 2015-09-01
Date of last update: 2015-09-01
Vendors contacted: Fortinet
Release mode: Coordinated release


2. Vulnerability Information

Class: Information Exposure [CWE-200], Write-what-where Condition [CWE-123], 
Exposed Dangerous Method or Function [CWE-749], Exposed IOCTL with Insufficient 
Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737



3. Vulnerability Description

Fortinet FortiClient [1] extends the power of FortiGate's Unified threat 
management to endpoints on your network. Desktops, laptops, tablets and 
smartphones, FortiClient enables every device - local or remote, stationary or 
mobile - to integrate with your FortiGate. With no per-seat license fees, 
FortiClient takes the headaches out of managing multiple endpoints so your 
users and guests can work efficiently anywhere, without compromising your 
security.

FortiClient drivers are prone to multiple attacks and expose a wide surface 
that allows users to easily get SYSTEM privileges.


4. Vulnerable packages

FortiClient 5.2.3.633
Other versions may probably be affected too, but they were not checked.


5. Vendor Information, Solutions and Workarounds

Fortinet released an updated version of FortiClient 5.2.4.0650 [2] that fixes 
the reported issues.


6. Credits

These vulnerabilities were discovered and researched by Enrique Nissim from 
Core Security's Consulting Team. The publication of this advisory was 
coordinated by Joaquín Rodríguez Varela from Core Security's Advisories Team.



7. Technical Description / Proof of Concept Code

[CVE-2015-4077] The vulnerability lies in the drivers "mdare64_48.sys", 
"mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". By using the IOCTL 
0x22608C with the proper parameters, an attacker is able to read arbitrary 
memory content from kernelspace.

[CVE-2015-5735] The vulnerability lies in the drivers "mdare64_48.sys", 
"mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". By using the IOCTL 
0x226108, the attacker is able to call ZwEnumerateValueKey and write its output 
to an arbitrary memory location.

[CVE-2015-5736] The vulnerability lies in "Fortishield.sys", which is a 
minifilter filesystem driver that hooks filesystem operations. IOCTL 0x220024 
and 0x220028 both allow establishing callbacks that will be called during any 
IRP_MJ_WRITE and IRP_MJ_SET_INFORMATION, respectively. Consequently, any user 
in the system can set an arbitrary function as a callback and execute code with 
kernel privileges.

[CVE-2015-5737] The vulnerability lies in the drivers "mdare64_48.sys", 
"mdare32_48.sys", "mdare32_52.sys", "mdare64_52.sys" and "Fortishield.sys". All 
of these drivers expose an API to manage processes and the Windows registry. 
For instance, the IOCTL 0x2220c8 of the "mdareXX_XX.sys" driver returns a full 
privileged handle to a given process PID. This same function is replicated 
inside "Fortishield.sys".



8. Report Timeline

2015-06-25: Core Security notified Fortinet of the vulnerabilities. Publication 
date set for July 27th, 2015.
2015-06-30: Fortinet replied that they received Core Security's email and that 
they would like to receive the draft version of the advisory.
2015-07-01: Core Security sent Fortinet the draft version of the advisory and 
requested a tentative schedule for releasing the updates.
2015-07-01: Fortinet replied that they received the draft version of the 
advisory and that they would review it.
2015-07-15: Core Security requested an update from Fortinet regarding the 
reported vulnerabilities and a tentative schedule.
2015-07-19: Fortinet replied and confirmed the reported bugs, but stated that 
they were only able to trigger them with administrative privileges. They 
requested a PoC from Core Security.
2015-07-20: Core Security replied, explaining to Fortinet that they were able 
to trigger the vulnerabilities as a non-privileged user. They sent Fortinet a 
PoC code that opens a handle with read/write permissions to LSASS process and 
then uses it to allocate memory in its virtual address space.
2015-07-20: Fortinet replied that they would review the PoC.
2015-07-20: Fortinet asked if Core Security researchers could review an interim 
build when available.
2015-07-21: Core Security confirmed that they would be willing to review an 
interim build when available.
2015-08-03: Core Security requested an update from Fortinet regarding the 
availability of the interim build, and asked if there was a specific date 
Fortinet was planning to release the fix.
2015-08-04: Fortinet replied that their current release date was August 17.
2015-08-05: Fortinet updated the schedule, explaining that the interim build 
wouldn't include the MDARE fixes therefore delaying the release until the end 
of August.
2015-08-07: Core Security asked Fortinet if the interim build was going to be 
published by Fortinet, because if so, that would force Core Security to publish 
their findings as well. If that wasn't the case, Core Security recommended 
publishing everything together later that month.
2015-08-07: Fortinet replied that the interim build was private and therefore 
there wasn't a need to publish ahead of schedule.
2015-08-10: Fortinet sent Core Security a link to download the interim build 
and requested feedback.
2015-08-10: Core Security replied that they received and downloaded the interim 
build and would send feedback. Additionally, Core Security requested an updated 
ETA.
2015-08-18: Core Security requested the specific date Fortinet would release 
the patched version of their product so they could schedule their security 
advisory publication accordingly.
2015-08-20: Core Security again requested for a specific date for the 
publication of the updates and informed Fortinet them that if they didn't 
receive and answer in the following days they would be forced to schedule the 
advisory publication.
2015-08-20: Fortinet replied that the scheduled release date for the updated 
version of FortiClient was August 31. They asked if they had an opportunity to 
review the interim build andif they had any feedback.
2015-08-24: Core Security replied that they were able to review the interim 
build and that they could confirm that those bugs were no longer 
exploitable.Core Security requested and updated ETA of the updated version.
2015-08-24: Fortinet replied that the scheduled release seemed to be confirmed 
and that the estimated time of availability would be roughly 5 p.m. Pacific 
Time.
9. References

[1] http://www.forticlient.com/.
[2] http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf. 


10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating 
the future needs and requirements for information security technologies. We 
conduct our research in several important areas of computer security including 
system vulnerabilities, cyber attack planning and simulation, source code 
auditing, and cryptography. Our results include problem formalization, 
identification of vulnerabilities, novel solutions and prototypes for new 
technologies. CoreLabs regularly publishes security advisories, technical 
papers, project information and shared software tools for public use at: 
http://corelabs.coresecurity.com.


11. About Core Security

Core Security enables organizations to get ahead of threats with security test 
and measurement solutions that continuously identify and demonstrate real-world 
exposures to their most critical assets. Our customers gain real visibility 
into their security standing, real validation of their security controls, and 
real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research 
and leading threat expertise from the company's Security Consulting Services, 
CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 
399-6980 or on the Web at: http://www.coresecurity.com.


12. Disclaimer

The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 
CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial 
Share-Alike 3.0 (United States) License: 
http://creativecommons.org/licenses/by-nc-sa/3.0/us/


13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories 
team, which is available for download at 
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Next by Date: [FD] KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege Escalation
Next by thread: [FD] KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege Escalation
Index(es):
- Date
- Thread