[FD] FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability

Document Title: =============== FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability References (Source): ==================== http://ift.tt/2baQJmR Fortinet PSIRT ID: 1737213 Release Notes: http://ift.tt/2aBRCjY Release Date: ============= 2016-08-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1842 Common Vulnerability Scoring System: ==================================== 3.6 Product & Service Introduction: =============================== FortiVoice phone systems and phones deliver intelligent call handling in a simple, affordable and user-friendly package. FortiVoice products are easy to install, easy to configure and easy to use, and come complete with everything a business needs to handle calls professionally, control costs and stay connected everywhere. The FortiVoice Enterprise IP-PBX voice solutions are built for offices with up to 2000 phone users. FortiVoice Enterprise systems give you total call control and sophisticated communication features for excellent customer service and efficient employee collaboration. Powerful, affordable and simple, FortiVoice phone systems include everything you need to handle calls professionally, control communication costs and stay connected everywhere. (Copy of the Homepage: http://ift.tt/1mnovpZ ) Abstract Advisory Information: ============================== The vulnerability lab core team discovered multiple application-side web vulnerabilities in the official Fortinet FortiVoice v5.x appliance web-application. Vulnerability Disclosure Timeline: ================================== 2016-05-11: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-05-12: Vendor Notification (PSIRT - Fortinet Security Team) 2016-06-26: Vendor Fix/Patch (Fortinet Developer Team) 2016-07-09: Acknowledgements (Fortiguard Security Team) 2016-08-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Fortinet Product: FortiVoice - Appliance (Web-Application) 5.0 (5.x) - FVE-20E2/4, 100E, 300E-T, 500E-T2, 1000E, 1000E- Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A filter bypass and multiple persistent cross site vulnerabilities has been discovered in the FortiVoice v5.x appliance web-application. The application-side issue allows remote attackers to inject own malicious script codes on the application-side of the affected module. The vulnerabilities are located in the `match pattern name` input fields of the `Outbound - Outbound - Dailed Number Match` and `Call Features - Fax - Sending Rules - Dailed Number Match` modules. Local low privileged user accounts and remote attackers are able to inject via POST method request own malicious script codes in the vulnerable modules. The attack vector of the issue is persistent on the application-side. The injection point are the vulnerable input fields and the execution point occurs mainly in the same web modules context. The validation tries to encode strings on input interaction. To bypass the validation of the fortivoice appliance web-application, it is required to insert a split char attack via input fields. Use for example %20%20 after that the validation stops and you can execute an own payload. The security risk of the application-side cross site web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the persistent input validation web vulnerability requires a low privileged web-application user account but is not limited to and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Outbound - Outbound [+] Call Features - Fax - Sending Rules Vulnerable Parameter(s): [+] name (match pattern) Affected Module(s): [+] Dailed Number Match Proof of Concept (PoC): ======================= The persistent cross site vulnerabilities can be exploited by remote attackers and low privileged web-application user accounts with low or medium user interaction. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. Vulnerable Location(s): Outbound - Outbound - Dailed Number Match [Match Pattern - Name] Call Features - Fax - Sending Rules - Dailed Number Match [Match Pattern - Name] PoC: Outbound - Outbound - Dail Number Match [Match Pattern - Name]

%20>"

-152725276

"><[MALICIOUS INJECTED SCRIPT CODE EXECUTION!]

"><[MALICIOUS INJECTED SCRIPT CODE EXECUTION!]

 

 

Source: Gmail -> IFTTT-> Blogger