Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Fortinet FortiClient Vendors:   Fortinet
FortiClient Format String Bug in VPN Connection Name Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1021966
SecurityTracker URL:
CVE Reference:   CVE-2009-1262   (Links to External Site)
Updated:  Apr 10 2009
Original Entry Date:  Apr 2 2009
Impact:   Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.614
Description:   A vulnerability was reported in FortiClient. A local user can obtain elevated privileges on the target system.

A local user can supply a specially crafted VPN connection name to trigger a format string flaw and write to or read from arbitrary memory locations with System level privileges.

The vendor was notified on February 2, 2009.

Deral Heiland of Layered Defense reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a fix (3.0 MR7 Patch Release 6).
Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Layered Defense Research Advisory: Format String Vulnerability:

Layered Defense Research Advisory 02 April 2009 
1) Affected Product 
FortiClient Version 3.0.614
Earlier versions may also be vulnerable
2) Severity Rating: Low 
3) Description of Vulnerability: 
A local format string vulnerability was discovered within FortiClient version 3.0.614 VPN .The vulnerability is due to improper processing
 of format strings specifiers within the VPN connection name. When special crafted format strings are entered as the VPN connection
 name and the connection is initiated the format string vulnerability is triggered. Making it possible to read and write arbitrary
 memory at System level. 
4) Solution : Upgrade to FortiClient v3.0 MR7 Patch Release 6
5) Time Table: 
02/02/2009 Reported Vulnerability to Vendor. 
02/03/2009 Vendor acknowledged the vulnerability 
03/13/2009 Vendor published fix
6) Credits Discovered by Deral Heiland, 
7) Reference
8) About Layered Defense Layered Defense, Is a group of security professionals that work together on ethical Research, Testing and
 Training within the information security arena.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC