The first obstacle I came across was a check performed by the root process every time a new connection occurs on the communication socket. This is the channel I decided to target when I started looking for a bug in the application. In FortiClient for Mac, this channel uses a custom protocol, and the client attaches to the Unix domain socket located at /var/run/fctservctl.sock to communicate with the root process. To allow this, a channel is needed to the primary process running as root.
Like many security products, FortiClient has a GUI application running in the user’s context, to enable the user to modify certain settings, initiate scans and and request VPN establishment. It's a short post, as it's been some time since I reported the bug, and my memory of the details is somewhat limited.įortiClient for Mac comprises different security features, like Endpoint Protection and a VPN client. This post documents a local privilege escalation vulnerability we found in FortiClient for Mac last year. 10:30 | Lasse Trolle Borup CVE-2019-17650: Privilege escalation in FortiClient for Mac
