[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Fortinet FortiMail 400 IBE - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-01-28 16:05:26
Message-ID: 5106A1C6.7000206 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Fortinet FortiMail 400 IBE - Multiple Web Vulnerabilities
Date:
=====
2013-01-23
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=701
VL-ID:
=====
701
Common Vulnerability Scoring System:
====================================
7.1
Introduction:
=============
The FortiMail family of appliances is a proven, powerful messaging security platform for any \
size organization, from small businesses to carriers, service providers, and large \
enterprises. Purpose-built for the most demanding messaging systems, the FortiMail appliances \
utilize Fortinet's years of experience in protecting networks against spam, malware, and other \
message-borne threats.
You can prevent your messaging system from becoming a threat delivery system with FortiMail. \
Its inbound filtering engine blocks spam and malware before it can clog your network and \
affect users. Its outbound inspection technology prevents outbound spam or malware (including \
3G mobile traffic) from causing other antispam gateways to blacklist your users.
Three deployment modes offer maximum versatility while minimizing infrastructure changes or \
service disruptions: transparent mode for seamless integration into existing networks with no \
changes to your existing mail server, gateway mode as a proxy MTA for existing messaging \
gateways, or full messaging server functionality for remote locations. FortiMail provides \
Identity-Based Encryption (IBE), in addition to S/MIME and TLS, as email encryption option to \
enforce policy-based encryption for secure content delivery. Furthermore, the FortiMail \
customizable and predefined dictionaries prevent accidental or intentional loss of \
confidential and regulated data.
(Copy of the Vendor Homepage: http://www.fortinet.com/products/fortimail/ )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in Fortinets \
FortiMail IBE 400Appliance Application.
Report-Timeline:
================
2012-09-16: Researcher Notification & Coordination
2012-09-18: Vendor Notification
2012-10-08: Vendor Response/Feedback
2012-**-**: Vendor Fix/Patch (NO RESPONSE BY PSIRT)
2013-01-23: Public Disclosure
Status:
========
Published
Affected Products:
==================
Fortinet
Product: FortiMail Appliance Series 400 IBE
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
An exception-handling and input filter bypass vulnerability is detected in the Fortinets \
FortiMail IBE Appliance Application 200D,400C, VM2K, 2000B and 5002B.
The first vulnerability is located in the parse module with the bound vulnerable \
exception-handling and vulnerable effect on all input fields. The vulnerability allows an \
attacker to bypass the input parse routine by an implement of 2 close tags, which results in \
the execution of the secound injected script code with a space between.
The secound vulnerability is located in the import/upload certificate module with the bound \
vulnerable certificate name and information parameters. An attacker can implement own \
certificates with script code in the malicious name and information values. After the upload \
the persistent code get executed out of the certificate listing main module.
Successful exploitation of the vulnerabilities allows to hijack admin/customer sessions, can \
lead to information disclosure or result in stable manipulation of web context (persistent & \
non-persistent).
Vulnerable Module(s):
[+] Invalid - Exception Handling
Vulnerable Parameter(s):
[+] ipmask
[+] username
[+] address
[+] url
Proof of Concept:
=================
1.1
The exception handling and filter bypass vulnerability can be exploited by remote attackers and \
local low privileged user account. For demonstration or reproduce ...
Module: IPAddressMask - ext-mb-text, ext-gen4185 & ext-gen7196
INJECT: https://127.0.0.1:1338/admin/FEAdmin.html#SysInterfaceCollection
<div id="ext-gen4183"><div id="ext-gen4184" class="ext-mb-icon ext-mb-error"></div><div \
id="ext-gen7197" class="ext-mb-content"><span id="ext-gen4185" class="ext-mb-
text">Error:IPAddressMask( 2 ) , IPAddressMask.cpp:14, "Invalid mask:"
> <iframe id="ext-gen7196" [PERSISTENT INJECTED SCRIPT CODE!];)" <="" "=""><[PERSISTENT
INJECTED SCRIPT CODE!]") <"><[PERSISTENT INJECTED SCRIPT CODE!]") </0"</iframe></span>
AFFECTED: https://127.0.0.1:1338/admin/FEAdmin.html#SysInterfaceCollection
Module: Whitelist & Blacklist - Address
URL: https://209.87.230.132:1443/admin/FEAdmin.html#PersonalBlackWhiteList
<div id="ext-gen10562" class="ext-mb-content"><span id="ext-gen5714" class="ext-mb-text">
Invalid address: "><[PERSISTENT INJECTED SCRIPT CODE!];)" <="" -=""
"=""><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></span>
AFFECTED: https://209.87.230.132:1443/admin/FEAdmin.html#SystemBlackWhiteList
Module: Bounce Verification - Username
URL: https://209.87.230.132:1443/admin/FEAdmin.html#AsBounceverifyKeyCollection
<div id="ext-gen7197" class="ext-mb-content"><span id="ext-gen4185" class="ext-mb-text">
Invalid user name: ""><iframe id="ext-gen19608" [PERSISTENT INJECTED SCRIPT
CODE!];)" <="" "=""><[PERSISTENT INJECTED SCRIPT CODE!]") <"</iframe></span>
1.2
The persistent vulnerability can be exploited by remote attackers with privileged application \
account and low required user inter action. For demonstration or reproduce ...
Module: Upload or Import - Local Certificate - Certificate name
URL: https://209.87.230.132:1443/admin/FEAdmin.html#SysCertificateDetailCollection
<div id="ext-gen38011" class="x-grid3-body"><div id="ext-gen38041" class="x-grid3-row \
x-grid3-row-selected " style="width: 1158px;"> <table class="x-grid3-row-table"
style="width: 1158px;" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td \
id="ext-gen38095" class="x-grid3-col x-grid3-cell x-grid3-td-mkey x-grid3-cell-first "
style="width:248px;" tabindex="0"><div id="ext-gen38036" class="x-grid3-cell-inner \
x-grid3-col-mkey" unselectable="on">[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE \
NAME!]</div></td> <td class="x-grid3-col x-grid3-cell x-grid3-td-subject " style="width: \
726px;" tabindex="0"><div id="ext-gen38068" class="x-grid3-cell-inner x-grid3-
col-subject" unselectable="on">/[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE VIA \
INFORMATION!]</div></td> <td id="ext-gen38085"
class="x-grid3-col x-grid3-cell x-grid3-td-status " style="width:148px;" tabindex="0"><div \
id="ext-gen38086" class="x-grid3-cell-inner x-grid3-col-status"
unselectable="on">OK</div></td><td id="ext-gen38084" class="x-grid3-col x-grid3-cell \
x-grid3-td-isReferenced x-grid3-cell-last " style="width:28px;" tabindex="0"><div
class="x-grid3-cell-inner x-grid3-col-isReferenced" unselectable="on"><img \
src="images/gray-ball.png" alt="0" align="absmiddle"
border="0"></div></td></tr></tbody></table></div><div id="ext-gen38040" class="x-grid3-row \
x-grid3-row-alt " style="width: 1158px;"> <table class="x-grid3-row-table"
style="width: 1158px;" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td \
class="x-grid3-col x-grid3-cell x-grid3-td-mkey x-grid3-cell-first "
style="width:248px;" tabindex="0"><div id="ext-gen38037" class="x-grid3-cell-inner \
x-grid3-col-mkey" unselectable="on">[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE \
NAME!]</div></td> <td class="x-grid3-col x-grid3-cell x-grid3-td-subject " style="width: \
726px;" tabindex="0"><div id="ext-gen38039" class="x-grid3-cell-inner x-grid3-
col-subject" unselectable="on">[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE VIA \
INFORMATION!]</div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-status " \
style="width:148px;" tabindex="0"><div
id="ext-gen38102" class="x-grid3-cell-inner x-grid3-col-status" \
unselectable="on">Default</div></td><td id="ext-gen38101" class="x-grid3-col x-grid3-cell \
x-grid3-td-
isReferenced x-grid3-cell-last " style="width:28px;" tabindex="0"><div id="ext-gen38083" \
class="x-grid3-cell-inner x-grid3-col-isReferenced" unselectable="on"><img
id="ext-gen38100" src="images/red-ball.png" alt="1" align="absmiddle" \
border="0"></div></td></tr></tbody></table></div></div>
Solution:
=========
1.1
The exception-handling vulnerability can be fixed by parsing the full content without excluding \
after a close tag. Restrict the input fields to allowed chars.
1.2
The persistent vulnerability in the certificate import/upload module can be patched by parsing \
the certificate name and info input field. Do not forget to parse also the vulnerable output \
listing of the certificate name and cert information.
Risk:
=====
The security risk of the of the exception-handling and input filter bypass vulnerability is \
estimated as high(-).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, sourcecode, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic