-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add fortios path traversal credential grabber (cve-2018-13379) #14518
Add fortios path traversal credential grabber (cve-2018-13379) #14518
Conversation
documentation/modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.md
Outdated
Show resolved
Hide resolved
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.md
Outdated
Show resolved
Hide resolved
looks like the oldest VM fortinet has on their download page is 6.2.5 |
Yep, for the 6.2 branch. but a lot haven't done the updates. many devices still have vulnerable in the wild. If you need to check I can share by mail the public IP to the vulnerable device in my lab. |
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
creds << "#{parse_config(chunk)}" | ||
end | ||
end | ||
rescue NoMethodError |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of assuming the chunk has valid credentials in it and then rescuing this generic exception, we should check the input to see if it is valid. NoMethodError
is raised by any typing error in the code, and rescuing it here will make the module much harder to maintain or even tell if it's broken in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related: #14518 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes sorry, I had to do some testing before making this change. I think it's better now.
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
I'd strongly recommend you just use |
|
I corrected several recommendations from |
what broke? |
sorry, surely an error on my side, I updated. |
846f5be
to
1b50dab
Compare
Going to rebase this due to a conflict in testing with the |
8d8975a
to
0ef1ed1
Compare
463003f
to
ee2abf4
Compare
First, what you should know is that the credentials are stored in the session file. And that as long as no user is connected there is no password in it. To test, you must first simulate a connection:
** the mdp remains in memory until the device is restarted. But that's not the only problem, apparently the separator needs to be changed.
to
And I'm trying to understand why? 2020 -> 2021? |
do not merge now as that may change. we need to find a better way to parse the response to collect credentials. |
it's far from elegant, but it does the job well. I tested on multiple vulnerable devices. The problem is that the header is different each time and the space allocated to session data may change depending on the devices. |
Testing the updates confirmed that it works as expected. Results have been emailed over @mekhalleh; not posting them here due to sensitivity. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm so overall this code looks great but I do have a few questions. The first is that this module could potentially handle other files, but it looks more like its a credential gatherer at the moment. This brings into question why this module is not located under the modules/auxiliary/gather/
branch, which would be more appropriate for a credential gatherer.
I also noted that this exploit could be used to retrieve more than creds if you wish to change this, though in light of the above note I'm not sure if this would be a good idea or not; might be better to just make it a dedicated credential gatherer to avoid confusion.
Finally I made one comment r.e a line of code that I think could be removed.
Let me know what you think, open to ideas :)
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/scanner/http/fortios_vpnssl_traversal_leak.rb
Outdated
Show resolved
Hide resolved
Alright after further consideration I realized my previous suggestions didn't make much sense, however the move to place the files under the |
… in users, and to fix some msftidy_docs.rb issues and clear up some explanations
…s purpose. Also fix a minor RuboCop related change Fix up documentation to reflect recent file renaming changes.
68c5c7a
to
2124ec2
Compare
Okay sorry about that had a small case where I realized the commit history could be tidied up so went ahead and did that, and then also made a mistake with not updating some documentation to reflect the recent file name changes so went ahead and fixed that up. Should be able to land this once checks pass. |
Release NotesNew module |
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests (CVE-2018-13379).
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated
attacker to download FortiOS system files through specially crafted HTTP resource requests.
Vulnerable Application
This exploit read
/dev/cmdb/sslvpn_websession
file, this file contains login and passwords in (clear/text).This vulnerability affect (FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4).
Verification Steps
Options
DUMP_FORMAT
Dump format. (Accepted: raw, ascii)
STORE_CRED
Store credential into the Metasploit database.
Scenarios
Usages
You can scan and get all credentials on the remote target when you run the followind command:
You can get a dump capture of the leaked data file.
To do this specific thing, here's how you do it: