A setting, disabled by default, enables FortiClient on the logon screen to allow users to connect to a VPN profile before logon. An attacker, with physical, or remote (e.g. through TSE, VNC…), access to a machine with FortiClient and this feature enabled, can obtain SYSTEM level privileges from the lock screen. No account or prior knowledge is required.
The vulnerability lies in the confirmation dialog shown when the server certificate is not valid (e.g. default auto-signed certificate, or Man-In-The-Middle with SSL/TLS interception situation).
- FortiClient Windows 5.6.0
- FortiClient Windows 5.4.3 and earlier
Upgrade to FortiClient Windows 5.4.4 or 5.6.1.
However, we tested the latest version and we discovered some bypasses of the fix under certain circumstances. We have shared our findings with Fortinet who is working on a more complete fix. We do not intend to share more details until this issue is fixed.
Enabling the « Do not warn invalid server certificate » option would prevent this issue but it is strongly discouraged since it allows silent Man-in-the-Middle attacks.
Deploying a valid certificate on the VPN endpoint mitigates the issue in standard situations, however when an attacker is in a MITM situation they will present an invalid certificate to the FortiClient, regardless of the legitimate server certificate. This is not sufficient to resolve the issue.
Vulnerability discovered by Clément Notin / @cnotin.
Vulnerability disclosed in coordination with the CERT-Intrinsec.
Windows 7 Professional x64, English. FortiClient, vulnerable version:
Create VPN connection in FortiClient with a FortiGate endpoint (or try with any domain having an invalid certificate, such as expired.badssl.com):
Enable the “VPN before logon” setting in FortiClient:
Log off. The computer is now in a vulnerable state.
On the logon screen, select the VPN profile and type any password for the user. If the certificate is invalid (default certificate on a legitimate FortiGate, MITM attack, usage of the IP address of the endpoint instead of the hostname…), when connecting the confirmation dialog will appear, then click on “View certificate”:
Go to “Details” tab then click on “Copy to file”:
Click next until the screen with “Browse” button:
Browse to “C:\Windows\System32”, type a wildcard “*” in filename to show every files. Find cmd.exe, right click then click “Open”:
You get a shell with SYSTEM privileges:
The attacker can create a local administrator user account and use it to login:
Fortinet PSIRT Advisory: FG-IR-17-070
SecurityFocus: BID 102176
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.