FortiClient SSLVPN Linux client local privilege escalation vulnerability

description-logo Description

Installing Forticlient SSLVPN Linux client build 2312 and lower in a home directory that is world readable-executable yields a privilege escalation vulnerability: Any local user can then exploit the helper/subroc setuid binary to run arbitrary code with root privileges.

Impact Detail

When subproc is called, it parses and executes "./iclean.linux.sh". Thus a malicious local user may create a symbolic link to subproc in the same directory as an "arbitrary" iclean.linux.sh. The latter will then be parsed and executed by subproc (i.e. with uid 0).

Affected Products

Standalone Forticlient SSLVPN Linux client build 2312 and lower.

Solutions

Upgrade to FortiClient Linux SSLVPN version 2313 or above.
Actual Exploitability varies with host systems: Ubuntu and Debian are known to set world readable-executable epermissions on home directories by default, while Fedora (and most other Linux distribution) do not.
In the following example, user notvulnerable is not affected, while user iamvuln could be affected:
ls -l /home
total 28
drwx------. 3 notvulnerable notvulnerable 4096 Jul 21 14:26 notvulnerable
drwx---r-x. 6 iamvuln iamvuln 4096 Jul 21 14:26 iamvuln
A workaround is to apply chmod 700 to the user's home directory who installed the Linux FortiClient SSLVPN.

Acknowledgement

Thanks to Brian Vincent.