Who Am I (1 min)

Security researcher with many years of experience in vulnerability research, implant development, and attacker TTPs across the commercial and government sector. 

Overview (1 min)

A Shift In Tactics (2 min)

CISA KEV Breakdown

• 2023’s Most Targeted Devices by Device Type
• Initial Access via Border / Security Appliance
• Why is this thing on the internet?

The Vulnerabilities (38 min)

Target Selection

• Fortinet falls squarely in the type of device’s routinely targeted and exploited by threat actors in CISA KEV
• Fortinet has many security devices that have not received recent CVEs
• FortiSIEM was acquired via Fortinet acquiring a company, possibly meaning more room for error or a difference in security stack

Vulnerability Research Process

• Attack Surface Analysis

• Control Flow Analysis

• Web Routing Framework

  • Unauthenticated and Authenticated Handlers

• Non-Web Backed Services

  • Communication Protocol

• Authentication

• Business Logic

• Controllable Inputs

Fortinet FortiSIEM

• Appliance Overview

• Discovering the Service

• Fortinet FortiNAC variant analysis - developers often make the same mistakes

• Investigating the license upload functionality in Web UI revealed it communicated with a “backend” service, phMonitor, via TCP socket

• “Backend” service is listening on all interfaces - not so backend…

• Developing a Service Client

• Reversing the Java Web UI class reveals its a custom messaging scheme over TCP sockets with message format:

  • 1. Command Type - The integer enum mapped to specific function handlers inside the phMonitor service
  • 2. Payload Length - The length of the payload in the message
  • 3. Send ID - An arbitrary integer value passed in the message
  • 4. Sequence ID - The sequence number of this message
  • 5. Payload - The specific data the function handler within phMonitor will operate on

• Test client with “LicenseInfo” request returns success!

• Reversing the Service

• What is the phMonitor service?

  • At a high-level, it monitors different services across different roles, and exposes an API interface for performing many of the system functions that would be accomplished in the administrative web interface. 
  • It is the authoritative service when it comes to managing deployment configuration, licensing, and administrative functions of itself and remote roles.

• With a working service client, now starts the process of analyzing control flow of the service, and any potential mistakes in command handlers

• 100 different command handlers

  • Change storage configurations

  • Often calls to a utility “doSystem”, a system() wrapper - interesting!

  • Write system settings

  • Passwords, backup servers, etc

  • Initiate reverse SSH tunnels with integrated servers

  • FortiSIEM often deployed with SIEM in located in MSP and “Collectors” in client environments

  • Pivot into client environments!

• Developing the Exploit

• Determining the Expected XML Format

• Command Injection in XML Field
• Post-Exploitation possibilities - pivoting, reading integration secrets, clearing logs

Fortinet FortiWLM

• Appliance Overview

• Attack Surface

• Web Service backed by Python and Perl

• Django Authentication Middleware

  • Several Unauthenticated Endpoints

• Command Injections

• SQL Injections

• File Reads

Fortinet FortiWeb Manager

• Appliance Overview

• Attack Surface

• Web Service backed by Python

• Authenticated Command Execution
• Authenticated Arbitrary File Write
• Authenticated Arbitrary File Read

Common Developer Pitfalls and Areas of Improvement

• Focusing on the Happy Path

• Developers, intuitively, focus most of their time and effort in validating the most common user journeys in their applications

• Often, along a products lifetime, new features are added for customers - and sometimes in critical areas like authentication

• Developing in a Vacuum

• Applications and systems often reach enormous levels of complexity, hard to single engineers to know the in-and-outs to safely add a feature

• Architecture and code reviews are necessary and critical to spot missteps

• Paired programming with a senior can help juniors understand the design and security aspects of features to up-level them

• Defense In Depth

• Often, weaponized exploits combine several vulnerabilities to reach system compromise

• Auditing the authenticated attack surface for simple primitives can limit the blast radius of these chains
• Run services as least privilege

Future Outlook (1 min)

Security isn’t just for infosec - involve developers more in our community

We and threat actors will continue to find vulnerabilities from the 90s, adjust security programs to be as wholistic as possible

Q\&A (2 min)

References

Fortinet PSIRTs

• FortiSIEM

• ****https://www.fortiguard.com/psirt/FG-IR-23-130

• FortiWLM

• https://www.fortiguard.com/psirt/FG-IR-23-140

• https://www.fortiguard.com/psirt/FG-IR-23-143

• https://www.fortiguard.com/psirt/FG-IR-23-142

• FortiWeb Manager

• Awaiting patches