[CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities | BOT24

[CORE-2015-0013] - FortiClient Antivirus Multiple Vulnerabilities

1. Advisory Information

Title: FortiClient Antivirus Multiple Vulnerabilities
Advisory ID: CORE-2015-0013
Advisory URL: http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-
vulnerabilities
Date published: 2015-09-01
Date of last update: 2015-09-01
Vendors contacted: Fortinet
Release mode: Coordinated release


2. Vulnerability Information

Class: Information Exposure [CWE-200], Write-what-where Condition [CWE-123], 
Exposed Dangerous Method or Function 
[CWE-749], Exposed IOCTL with Insufficient Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-4077, CVE-2015-5735, CVE-2015-5736, CVE-2015-5737



3. Vulnerability Description

Fortinet FortiClient [1] extends the power of FortiGate's Unified threat management to 
endpoints on your network. Desktops, laptops, tablets and smartphones, FortiClient enables every device - local or remote, stationary or mobile - to integrate with your FortiGate. 
With no per-seat license fees, FortiClient takes the headaches out of managing multiple 
endpoints so your users and guests can work efficiently anywhere, without compromising 
your security.

FortiClient drivers are prone to multiple attacks and expose a wide surface that allows 
users to easily get SYSTEM privileges.


4. Vulnerable packages

FortiClient 5.2.3.633
Other versions may probably be affected too, but they were not checked.


5. Vendor Information, Solutions and Workarounds

Fortinet released an updated version of FortiClient 5.2.4.0650 [2] that fixes the reported issues.


6. Credits

These vulnerabilities were discovered and researched by Enrique Nissim from Core 
Security'sConsulting Team. The publication of this advisory was coordinated by Joaquín 
Rodríguez Varela from Core Security's Advisories Team.



7. Technical Description / Proof of Concept Code

[CVE-2015-4077] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". By using the IOCTL 0x22608C with the proper 
parameters, an attacker is able to read arbitrary memory content from kernelspace.
[CVE-2015-5735] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys" and "mdare64_52.sys". By using the IOCTL 0x226108, the attacker is able to call ZwEnumerateValueKey and write its output to an arbitrary memory location.

[CVE-2015-5736] The vulnerability lies in "Fortishield.sys", which is a minifilter filesystem driver that hooks filesystem operations. IOCTL 0x220024 and 0x220028 both allow establishing callbacks that will be called during any IRP_MJ_WRITE and IRP_MJ_SET_INFORMATION, respectively. Consequently, any user in the system can set an arbitrary function as a callback and execute code with kernel privileges.

[CVE-2015-5737] The vulnerability lies in the drivers "mdare64_48.sys", "mdare32_48.sys", "mdare32_52.sys", "mdare64_52.sys" and "Fortishield.sys". All of these drivers expose an APIto manage processes and the Windows registry. For instance, the IOCTL 0x2220c8 of the "mdareXX_XX.sys" driver returns a full privileged handle to a given process PID. This same function is replicated inside "Fortishield.sys".



8. Report Timeline

2015-06-25: Core Security notified Fortinet of the vulnerabilities. Publication date 
set for July 27th, 2015.2015-06-30: Fortinet replied that they received Core Security's 
email and that they would like to receive the draft version of the advisory.
2015-07-01: Core Security sent Fortinet the draft version of the advisory and requested 
a tentative schedule for releasing the updates.
2015-07-01: Fortinet replied that they received the draft version of the advisory and 
that they would review it.
2015-07-15: Core Security requested an update from Fortinet regarding the reported 
vulnerabilities and a tentative schedule.
2015-07-19: Fortinet replied and confirmed the reported bugs, but stated that they 
were only able to trigger them with administrative privileges. They requested a PoC 
from Core Security.
2015-07-20: Core Security replied, explaining to Fortinet that they were able to trigger 
the vulnerabilities as a non-privileged user. They sent Fortinet a PoC code that opens 
a handle with read/write permissions to LSASS process and then uses it to allocate 
memory in its virtual address space.
2015-07-20: Fortinet replied that they would review the PoC.
2015-07-20: Fortinet asked if Core Security researchers could review an interim build 
when available.
2015-07-21: Core Security confirmed that they would be willing to review an interim build 
when available.
2015-08-03: Core Security requested an update from Fortinet regarding the availability 
of the interim build, and asked if there was a specific date Fortinet was planning to 
release the fix.
2015-08-04: Fortinet replied that their current release date was August 17.
2015-08-05: Fortinet updated the schedule, explaining that the interim build wouldn't 
include the MDARE fixes therefore delaying the release until the end of August.
2015-08-07: Core Security asked Fortinet if the interim build was going to be published 
by Fortinet, because if so, that would force Core Security to publish their findings as 
well. If that wasn't the case, Core Security recommended publishing everything together 
later that month.
2015-08-07: Fortinet replied that the interim build was private and therefore there 
wasn't a need to publish ahead of schedule.
2015-08-10: Fortinet sent Core Security a link to download the interim build and 
requested feedback.
2015-08-10: Core Security replied that they received and downloaded the interim build 
and would send feedback. Additionally, Core Security requested an updated ETA.
2015-08-18: Core Security requested the specific date Fortinet would release the patched 
version of their product so they could schedule their security advisory publication 
accordingly.
2015-08-20: Core Security again requested for a specific date for the publication of 
the updates and informed Fortinet them that if they didn't receive and answer in the 
following days they would be forced to schedule the advisory publication.
2015-08-20: Fortinet replied that the scheduled release date for the updated version 
of FortiClient was August 31. They asked if they had an opportunity to review the 
interim build andif they had any feedback.
2015-08-24: Core Security replied that they were able to review the interim build and 
that they could confirm that those bugs were no longer exploitable.Core Security 
requested and updated ETA of the updated version.
2015-08-24: Fortinet replied that the scheduled release seemed to be confirmed and 
that the estimated time of availability would be roughly 5 p.m. Pacific Time.
9. References

[1] http://www.forticlient.com/.
[2] http://docs.fortinet.com/d/forticlient-5.2.4-windows-release-notes.pdf. 


10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future 
needs and requirements for information security technologies. We conduct our research 
in several important areas of computer security including system vulnerabilities, cyber 
attack planning and simulation, source code auditing, and cryptography. Our results 
include problem formalization, identification of vulnerabilities, novel solutions and 
prototypes for new technologies. CoreLabs regularly publishes security advisories, 
technical papers, project information and shared software tools for public use at: 
http://corelabs.coresecurity.com.


11. About Core Security

Core Security enables organizations to get ahead of threats with security test and 
measurement solutions that continuously identify and demonstrate real-world exposures 
to their mostcritical assets. Our customers gain real visibility into their security 
standing, real validation of their security controls, and real metrics to more 
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and 
leading threat expertise from the company's Security Consulting Services, CoreLabs 
and Engineering groups. Core Security can be reached at +1 (617) 
399-6980 or on the Web at: http://www.coresecurity.com.


12. Disclaimer

The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs,
 and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 
(United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at 
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.



Share on Google Plus

About Bradley Susser

    Blogger Comment
    Facebook Comment

0 comments :

Post a Comment