Introduction In a recent PSIRT, Fortinet acknowledged CVE-2023-48788 – a SQL injection in FortiClient EMS that can lead to remote code execution. FortiClient EMS is an endpoint management solution for enterprises that provides a central location for administering enrolled endpoints. This SQL injection vulnerability is caused by user controlled strings that are passed directly into database queries. In this post we will examine the internal workings of the exploit. Our POC can be found here. An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. FortiClient EMS Architecture For the purposes of understanding this vulnerability, FortiClient EMS consists the following components: FmcDaemon.exe – The main service responsible for communicating with enrolled clients. By default, this service listens on port 8013 for incoming client connections FCTDas.exe – The Data Access Server responsible for translating requests from various other server components into SQL requests. This service interacts with the Microsoft SQL Server database. One or more endpoint clients – These clients communicate with the FmcDaemon on the server (by default tcp/8013) Finding the Vulnerable Component Since we know the vulnerability […]

The post CVE-2023-48788: Fortinet FortiClientEMS SQL Injection Deep Dive appeared first on Horizon3.ai.

The post CVE-2023-48788: Fortinet FortiClientEMS SQL Injection Deep Dive appeared first on Security Boulevard.

James Horseman

Source: Security Boulevard
Source Link: https://securityboulevard.com/2024/03/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/