This post is the third and final post regarding vulnerabilities discovered when looking at the security of some popular VPN clients. In the first two posts we covered local privilege escalation and arbitrary file writes in Pritunl VPN Client and AWS VPN Client. This post covers an arbitrary file write as SYSTEM in the Fortinet FortiClient VPN client.

This issue differs a little from the first two posts in that it does not abuse dangerous directives in an OpenVPN configuration file, but instead uses an over privileged file write in config backup functionality of FortiClient.

FortiClient VPN allows normal users of the VPN Client to backup their VPN configuration. The backup file is written by FortiClient’s scheduler service running as SYSTEM, which calls the FCConfig.exe on the specified backup file. 

Since the file path used to perform the backup to is only validated in the UI of the application, it is possible to bypass any permission checks and force the service to write to an arbitrary location, even if the user does not have permission to do so.

The user can control partial contents of the configuration backup, which means at the very least they could write a .bat script to an administrator’s startup directory as one method of privilege escalation.

This vulnerability allows an arbitrary file to be written anywhere on the system while controlling part of the contents. This can lead to privilege escalation in a number of ways, the most common being writing a script to a privileged user’s startup folder and then waiting for that user to log onto the system.

FortiClient is an Electron app that interacts with various services running in the background. A normal user is able to start and interact with the Electron UI of FortiClient.

It is possible to start the FortiClient application with the Electron debugging enabled and attach that to a debugger with Chrome.

Now, opening Chrome with chrome://inspect will allow you to attach to the FortiClient process. 

Here you can see the backup feature within the UI of FortiClient. The UI allows you to choose a backup file and checks to make sure the current user has permission to write to that file before allowing it to be selected. The selection is then disabled from editing.

Since we are debugging the UI we can obviously modify anything in the UI. To demonstrate this, we can use the JavaScript console to set the disabled property of the element to false.

Now the file path for the backup file can be modified to anything.

There are a number of ways you could bypass this using the debugger. After some digging the function to call the config backup service directly was found, allowing the function to be called from the JavaScript console, specifying an arbitrary path.