Published: 03/09/2015 Updated: 09/10/2018

CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9

VMScore: 736

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

The Fortishield.sys driver in Fortinet FortiClient prior to 5.2.4 allows local users to execute arbitrary code with kernel privileges by setting the callback function in a (1) 0x220024 or (2) 0x220028 ioctl call.

Vulnerable Product	Search on Vulmon	Subscribe to Product
fortinet forticlient

/* Check these out: - wwwcoresecuritycom/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DSpdf - labsmwrinfosecuritycom/blog/a-tale-of-bitmaps/ Tested on: - Windows 10 Pro x64 (Post-Anniversary) - ntoskrnlexe: 10014393953 - FortiShieldsys: 523633 Thanks to master @ryujin and @ronin for helping out And ...

/* Check this out: - wwwcoresecuritycom/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DSpdf Tested on: - Windows 10 Pro x64 (Pre-Anniversary) - haldll: 1001024016384 - FortiShieldsys: 523633 Thanks to master @ryujin and @ronin for helping out */ #include <stdioh> #include <stdlibh> #include < ...

#include "stdafxh" #include <stdioh> #include <Windowsh> #include <Psapih> #include <Shlobjh> #pragma comment (lib,"psapi") PULONGLONG leak_buffer = (PULONGLONG)VirtualAlloc((LPVOID)0x000000001a000000, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); ULONGLONG leakQWORD(ULONGLONG addr, HANDLE driver) { memset((LPVO ...

Collection of resources for my preparation to take the OSEE certification.

Resources Collection of resources for my preparation to take the OSEE certification Based on the syllabus from Offensive Security My review can be found here Browser Exploitation Safari/Chrome/Webkit Exploiting a Safari information leak by Bruno Keith Attacking Client-Side JIT Compilers by Samuel Groß Exploiting Logic Bugs in JavaScript JIT Engines by Samuel

All efforts for the AWE course and preparation for the Offensive Security Exploitation Expert (OSEE) exam.

Advanced Windows Exploitation All efforts for the AWE course and preparation for the Offensive Security Exploitation Expert (OSEE) exam Study Strategy Several rounds of course content First round: Shellcoding on x64 Flash Player [Firefox x86] - Heap Internals (bypassing DEP, ASLR and Sandboxes) - CVE-2015-3104 Second round: VMWare Internals (guest-to-hosts escape) Symante

Resources Collection of resources for my preparation to take the OSEE certification Based on the syllabus from Offensive Security My review can be found here Browser Exploitation Safari/Chrome/Webkit Exploiting a Safari information leak by Bruno Keith Attacking Client-Side JIT Compilers by Samuel Groß Exploiting Logic Bugs in JavaScript JIT Engines by Samuel

CWE-264 http://www.fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient http://www.coresecurity.com/advisories/forticlient-antivirus-multiple-vulnerabilities http://www.securitytracker.com/id/1033439 http://fortiguard.com/advisory/mulitple-vulnerabilities-in-forticlient http://seclists.org/fulldisclosure/2015/Sep/0 http://packetstormsecurity.com/files/133398/FortiClient-Antivirus-Information-Exposure-Access-Control.html https://www.exploit-db.com/exploits/41722/https://www.exploit-db.com/exploits/41721/https://www.exploit-db.com/exploits/45149/http://www.securityfocus.com/archive/1/536369/100/0/threaded https://nvd.nist.gov https://github.com/dhn/OSEE https://www.exploit-db.com/exploits/41722/

CVE-2015-5736

Vulnerability Summary

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect