Title: Fortinet FortiClient Windows privilege escalation at logon
CVE ID: CVE-2017-7344
Intrinsec ID: ISEC-V2017-01
Risk level: high
Exploitable: Locally, or remotely if the logon screen is exposed (e.g. through RDP without NLA required). Requires non-default configuration on the client (« Enable VPN before logon »). Requires an invalid certificate on the VPN endpoint side, or a MITM attacker presenting an invalid certificate (e.g. stolen laptop scenario).
Impact: Privilege escalation: from anonymous to SYSTEM, and Windows lock screen bypass
This vulnerability affects the Fortinet FortiClient program. FortiClient is a client program used to connect to SSL/IPsec VPN endpoints.
A setting, disabled by default, enables FortiClient on the logon screen to allow users to connect to a VPN profile before logon. An attacker, with physical, or remote (e.g. through TSE, VNC…), access to a machine with FortiClient and this feature enabled, can obtain SYSTEM level privileges from the lock screen. No account or prior knowledge is required.
The vulnerability lies in the confirmation dialog shown when the server certificate is not valid (e.g. default auto-signed certificate, or Man-In-The-Middle with SSL/TLS interception situation).
- FortiClient Windows 5.6.0
- FortiClient Windows 5.4.3 and earlier
Upgrade to FortiClient Windows 5.4.4 or 5.6.1.
However, we tested the latest version and we discovered some bypasses of the fix under certain circumstances. We have shared our findings with Fortinet who is working on a more complete fix. We do not intend to share more details until this issue is fixed.
Enabling the « Do not warn invalid server certificate » option would prevent this issue but it is strongly discouraged since it allows silent Man-in-the-Middle attacks.
Deploying a valid certificate on the VPN endpoint mitigates the issue in standard situations, however when an attacker is in a MITM situation they will present an invalid certificate to the FortiClient, regardless of the legitimate server certificate. This is not sufficient to resolve the issue.
Vulnerability discovered by Clément Notin / @cnotin.
Vulnerability disclosed in coordination with the CERT-Intrinsec.
Windows 7 Professional x64, English. FortiClient, vulnerable version:
Create VPN connection in FortiClient with a FortiGate endpoint (or try with any domain having an invalid certificate, such as expired.badssl.com):
To read the original article: