lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2009 16:42:34 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: NTBUGTRAQ <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>, 
	bugtraq <bugtraq@...urityfocus.com>, 
	full-disclosure <full-disclosure@...ts.grok.org.uk>, <info@...cl.etat.lu>, 
	<vuln@...unia.com>, <cert@...t.org>, <nvd@...t.gov>, <cve@...re.org>
Subject: [TZO-11-2009] Fortinet bypass / evasion (Limited
	details)

______________________________________________________________________

  From the low-hanging-fruit-department - Fortinet bypass/evasion
______________________________________________________________________

Release mode: Forced release, vendor has not replied.
Ref         : TZO-112009 - Fortinet Generic Evasion 
WWW         : http://blog.zoller.lu/2005/04/fortinet-evasion-bypass-limited-details.html
Vendor      : http://www.fortinet.com
Security notification reaction rating : Catastrophic

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- t.b.a (Vendor has not reacted, please see below)

As this bug has not been reproduced by the vendor, this limited advisory 
relies on the assumption that my tests were conclusive and that the test
environment mimics the production environment.

I. Background
~~~~~~~~~~~~~
Quote: "Fortinet is a leading provider of network security appliances and the 
leader of the unified threat management (UTM) market worldwide. 
Fortinet's award-winning portfolio of security gateways, 
subscription services, and complementary products delivers 
the highest level of network, content, and application 
security for enterprises of all sizes, managed service providers, 
and telecommunications carriers, while reducing total cost of 
ownership and providing a flexible, scalable path for expansion.  "


II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by a specially crafted and formated
archive file. Details are currently witheld due to other vendors that are 
in process of deploying patches.

A professional reaction to a vulnerability notification is a way to 
measure the maturity of a vendor in terms of security. Fortinet is given 
a grace period of two (2) weeks to reply to my notification. Failure 
to do so will result in POC being released in two (2) weeks. 

Fortinet (aswell as others) is advised to leave a specific security contact
at [1] in order to simplify getting in contact with them.

As this bug has not been reproduced by the vendor, this limited advisory 
relies on the assumption that my tests were conclusive.

III. Impact
~~~~~~~~~~~
A general description of the impact and nature of AV Bypasses/evasions
can be read at : 
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect
code within the archive. There is no inspection of the content
at all.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
09/03/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date. There is
             no security adress listed at [1] and hence took the industry
             tandard security contacts addresses secure@ and security@.
                         
             No reply.
                         
14/03/2009 : Resending specifying this is the last attempt to disclose
             reponsibly.
                         
             No reply.
                         
15/04/2009 : Fortinet published advisories for third party vendors with
             the adress dontreply-secresearch@...tinet.com, used secresearch@...tinet.com
             to resend advirory.
                                                
             No reply.
                         
17/04/2009 : Last attempt to contact, information sent to info@...itnet.com

             no reply, as of time of publishing

17/04/2009 : Release of this advisory and begin of grace period.


[1] http://osvdb.org/vendor/1/Fortinet%20Inc_


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists