Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FortiNet FortiClient EMS SQLi to RCE [CVE-2023-48788] #19082

Merged
merged 1 commit into from
Apr 19, 2024
Merged

FortiNet FortiClient EMS SQLi to RCE [CVE-2023-48788] #19082

merged 1 commit into from
Apr 19, 2024

Conversation

jheysel-r7
Copy link
Contributor

An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server). FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which can be sent directly into database queries.

FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013 and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database. In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code execution in the context of NT AUTHORITY\SYSTEM.

Affected versions of FortiClient EMS include:
7.2.0 through 7.2.2
7.0.1 through 7.0.10

Verification

List the steps needed to make sure this thing works

  1. Start msfconsole
  2. Do: use windows/http/forticlient_ems_fctid_sqli
  3. Set the RHOST and LHOST options
  4. Run the module
  5. Receive a Meterpreter session running in the context of NT AUTHORITY\SYSTEM

@jheysel-r7 jheysel-r7 added module docs feature-kerberos-authentication Adds Kerberos Authentication support to framework and removed feature-kerberos-authentication Adds Kerberos Authentication support to framework labels Apr 12, 2024
zgoldman-r7
zgoldman-r7 approved these changes Apr 19, 2024
View reviewed changes
Copy link
Contributor

@zgoldman-r7 zgoldman-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work on this!

@zgoldman-r7 zgoldman-r7 added the rn-modules release notes for new or majorly enhanced modules label Apr 19, 2024
@zgoldman-r7 zgoldman-r7 merged commit 488653d into rapid7:master Apr 19, 2024
38 checks passed
@zgoldman-r7
Copy link
Contributor

zgoldman-r7 commented Apr 19, 2024
edited by jheysel-r7
Loading

Release Notes

Adds windows/http/forticlient_ems_fctid_sqli module that takes advantage of a SQLi injection vulnerability in FortiNet FortiClient EMS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zgoldman-r7 zgoldman-r7 zgoldman-r7 approved these changes

Assignees
No one assigned
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jheysel-r7 @zgoldman-r7