Skip to content

Extract Useful info from SSL VPN Directory Traversal Vulnerability (FG-IR-18-384)

License

Notifications You must be signed in to change notification settings

SardinasA/FortiVPN-Scanner

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 

Repository files navigation

FG-IR-18-384 (CVE-2018-13379) Scanner/Exploitation Tool

Exploit allowing for the recovery of cleartext credentials. This tool is provided for testing/educational purposes only, Please Don't Use for illegal Activity. Only run it against infrastructure for which you have recieved permission to test.

Headnod to those who discovered the exploit, more information by the researcher can be found here: https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html

This exploit was developed to pull the interesting credentials straight out of the binary, rather than require someone to run strings and review the output.

Google Dork: inurl:remote/login?lang=

Special Thanks and Credits

Resources and Information

Affected Products

  • FortiOS 6.0 - 6.0.0 to 6.0.4
  • FortiOS 5.6 - 5.6.3 to 5.6.7
  • FortiOS 5.4 - 5.4.6 to 5.4.12

(other branches and versions than above are not impacted) ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled

Solutions

Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. Check Upgrade path here: https://docs.fortinet.com/upgrade-tool

Recommendation if Affected

  • Issue a password change/reset for all users with SSL-VPN access, alert users to changes passwords on other systems if the same password is used.
    • Consider MFA implementation.
    • Consider Cyber Security Training for all staff
  • Back up current FortiGate configurations prior to the upgrade.
  • Download and upgrade the FortiGate (Download current Firmware and Upgrade)

Tool in action

Usage:

Install Requirements: pip3 install -r requirements.txt, then use as below.

python3 fortigate.py -h
  ___ ___  ___ _____ ___ ___   _ _____ ___
 | __/ _ \| _ \_   _|_ _/ __| /_\_   _| __|
 | _| (_) |   / | |  | | (_ |/ _ \| | | _|
 |_| \___/|_|_\ |_| |___\___/_/ \_\_| |___|

Extract Useful info (credentials!) from SSL VPN Directory Traversal Vulnerability (FG-IR-18-384)
Tool developed by @x41x41x41 and @DavidStubley

usage: fortigate.py [-h] [-i INPUT] [-o OUTPUT]

optional arguments:
  -h, --help            
                        show this help message and exit
  -c CREDSCAN, --credscan (y/n)
                        Execute Credential Pull y/n (Yes/No) [Default=n]
  -f FILENAME, --filename (Target list Input Filename) 
                        Target URL or Domain [Default=iplist]
  -i INPUT, --input (IP/DOMAIN)
                        Target URL or Domain TARGET:PORT [Default=None]
  -o OUTPUT, --output (Output Filename)
                        File to output discovered credentials too [Default=Output]

About

Extract Useful info from SSL VPN Directory Traversal Vulnerability (FG-IR-18-384)

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%