PoC Exploit Released for Critical Fortinet FortiClient EMS CVE-2023-48788 Flaw

Security researchers at Horizon3 have released proof-of-concept (PoC) code for a severe vulnerability (CVE-2023-48788) in the Fortinet FortiClient Enterprise Management Server (EMS). With a CVSS score of 9.3, this SQL injection flaw could allow threat actors to remotely execute malicious code on affected systems, potentially compromising entire enterprise networks. Noteable, “This vulnerability is exploited in the wild.”

The Horizon3 team’s in-depth analysis pinpoints the source of the vulnerability. Improper handling of user input within FortiClient EMS leads to unsanitized data being injected directly into SQL database queries. This creates an opening for a skilled attacker to manipulate those queries.

Fortinet FortiClient EMS is a popular IT management solution. Enterprises use it to centrally manage and secure large numbers of endpoint devices like laptops, desktops, and servers. A successful exploit against this software would have far-reaching network security consequences.

Understanding the vulnerability requires a closer look at FortiClient EMS’s architecture:

• FmcDaemon.exe: The primary service facilitating communication with enrolled clients, typically listening on port 8013.
• FCTDas.exe: The Data Access Server translating server requests into SQL queries, interacting directly with the Microsoft SQL Server database.
• Multiple endpoint clients communicate with the FmcDaemon, establishing the groundwork for potential exploitation.

The Horizon3 team uncovered the flaw began by scanning the installation folder for common SQL strings, leading them to FCTDas.exe. This component not only connects to the local database but also listens for incoming connections, providing a vital clue. The team hypothesized that by interacting with tcp/8013, they could indirectly make database queries via FCTDas.exe.

Further investigation into the communications between the endpoint client and FcmDaemon.exe revealed encrypted exchanges, with a breakthrough coming from enabling Debug logging. This provided sufficient insight to craft a Python script for meaningful communication with the FcmDaemon. The discovery of the message format led to a simple yet effective payload that confirmed the SQL injection vulnerability by causing a deliberate delay in response.

Demo for CVE-2023-48788 PoC exploit (Horizon3 Attack Team)

Turning the SQL injection into a remote code execution (RCE) avenue involved leveraging the xp_cmdshell functionality of Microsoft SQL Server. Though initially not configured for xp_cmdshell commands, enabling it was straightforward, marking a critical phase in the exploitation process.

xp_cmdshell logs | Image: Horizon3 Attack Team

Detecting an intrusion is crucial, and FortiClient EMS logs, along with MS SQL logs, serve as vital resources for identifying unauthorized connections or the use of xp_cmdshell for command execution. Awareness of different tactics attackers might employ or their efforts to erase traces is essential for a comprehensive defense strategy.