Vigil@nce: FortiClient, format string attack
April 2009 by Vigil@nce
A local attacker can generate a format string attack in order to
elevate his privileges.
– Severity: 2/4
– Consequences: administrator access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 02/04/2009
IMPACTED PRODUCTS
– Fortinet FortiGate
DESCRIPTION OF THE VULNERABILITY
The FortiClient client has a field where users can enter the name
of the VPN connection to establish.
However, this name is used as a format parameter in a function of
the printf() family. The corresponding code runs with system
privileges.
A local attacker can therefore generate a format string attack in
order to elevate his privileges.
CHARACTERISTICS
– Identifiers: BID-34343, VIGILANCE-VUL-8593
– Url: http://vigilance.fr/vulnerability/FortiClient-format-string-attack-8593
To change your email preferences (frequency, severity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2