Search...

Fortinet FortiAuthenticator Default Credentials

2015-02-16T00:00:00

ID FORTIAUTHENTICATOR_DEFAULT_CREDS.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.
Modified 2015-02-16T00:00:00

Description

Nessus was able to login to the remote FortiAuthenticator device using the default password for the 'admin' account. A remote attacker can exploit this to gain administrative control of the device.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(81384);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_name(english:"Fortinet FortiAuthenticator Default Credentials");
  script_summary(english:"Checks for default credentials.");

  script_set_attribute(attribute:"synopsis", value:"The remote host is using a known set of default credentials.");
  script_set_attribute(attribute:"description", value:
"Nessus was able to login to the remote FortiAuthenticator device using
the default password for the 'admin' account. A remote attacker can
exploit this to gain administrative control of the device.");
  # https://docs.fortinet.com/uploaded/files/1281/fortiauthenticator-admin-12.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ef1c251c");
  script_set_attribute(attribute:"solution", value:
"Change the password for the default 'admin' account.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:fortinet:fortiauthenticator");
  script_set_attribute(attribute:"default_account", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.");

  script_dependencies("fortiauthenticator_webapp_detect.nbin");
  script_require_keys("installed_sw/Fortinet FortiAuthenticator");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/www", 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

app = 'Fortinet FortiAuthenticator';
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:443);
install = get_single_install(app_name:app, port:port);

login_url = build_url(qs:'/login/', port:port);

user = 'admin';
pass = '';

res = http_send_recv3(
  method:'GET',
  item:'/login/',
  port:port,
  exit_on_fail:TRUE
);

# name='csrfmiddlewaretoken' value='fphn9FdLw8Jn7myWnB00YrWAm1nuNT29'
item = eregmatch(pattern:"name\s*=\s*'csrfmiddlewaretoken'\s*value\s*=\s*'([^']+)'",
                 string:res[2]);

if(isnull(item) && isnull(item[1]))
  exit(0, 'Unable to parse anti-CSRF token on login page for web server on port ' + port + '.');

token = item[1];

postdata = 'username=' + user + '&password=' + pass + '&csrfmiddlewaretoken=' + token;

res = http_send_recv3(
  method:'POST',
  content_type:'application/x-www-form-urlencoded',
  add_headers:make_array('referer', build_url(port:port, qs:'/login/')),
  data:postdata,
  item:'/login/',
  follow_redirect:1,
  port:port,
  exit_on_fail:TRUE
);

if (
  'FortiAuthenticator' &gt;&lt; res[2] &&
  '&lt;span&gt;Administration&lt;/span&gt;' &gt;&lt; res[2])
{
  if (report_verbosity &gt; 0)
  {
    report = '
Nessus was able to gain access using the following information :

  URL      : '+login_url+'
  User     : '+user+'
  Password : &lt;blank&gt;\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, login_url);

JSON Vulners Source

Initial Source

{"id": "FORTIAUTHENTICATOR_DEFAULT_CREDS.NASL", "bulletinFamily": "scanner", "title": "Fortinet FortiAuthenticator Default Credentials", "description": "Nessus was able to login to the remote FortiAuthenticator device using\nthe default password for the 'admin' account. A remote attacker can\nexploit this to gain administrative control of the device.", "published": "2015-02-16T00:00:00", "modified": "2015-02-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/81384", "reporter": "This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.", "references": ["http://www.nessus.org/u?ef1c251c"], "cvelist": [], "type": "nessus", "lastseen": "2021-01-20T10:45:10", "edition": 24, "viewCount": 7, "enchantments": {"dependencies": {"references": [], "modified": "2021-01-20T10:45:10", "rev": 2}, "score": {"value": 0.4, "vector": "NONE", "modified": "2021-01-20T10:45:10", "rev": 2}, "vulnersScore": 0.4}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81384);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_name(english:\"Fortinet FortiAuthenticator Default Credentials\");\n script_summary(english:\"Checks for default credentials.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is using a known set of default credentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"Nessus was able to login to the remote FortiAuthenticator device using\nthe default password for the 'admin' account. A remote attacker can\nexploit this to gain administrative control of the device.\");\n # https://docs.fortinet.com/uploaded/files/1281/fortiauthenticator-admin-12.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ef1c251c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the password for the default 'admin' account.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:fortinet:fortiauthenticator\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortiauthenticator_webapp_detect.nbin\");\n script_require_keys(\"installed_sw/Fortinet FortiAuthenticator\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\napp = 'Fortinet FortiAuthenticator';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\ninstall = get_single_install(app_name:app, port:port);\n\nlogin_url = build_url(qs:'/login/', port:port);\n\nuser = 'admin';\npass = '';\n\nres = http_send_recv3(\n method:'GET',\n item:'/login/',\n port:port,\n exit_on_fail:TRUE\n);\n\n# name='csrfmiddlewaretoken' value='fphn9FdLw8Jn7myWnB00YrWAm1nuNT29'\nitem = eregmatch(pattern:\"name\\s*=\\s*'csrfmiddlewaretoken'\\s*value\\s*=\\s*'([^']+)'\",\n string:res[2]);\n\nif(isnull(item) && isnull(item[1]))\n exit(0, 'Unable to parse anti-CSRF token on login page for web server on port ' + port + '.');\n\ntoken = item[1];\n\npostdata = 'username=' + user + '&password=' + pass + '&csrfmiddlewaretoken=' + token;\n\nres = http_send_recv3(\n method:'POST',\n content_type:'application/x-www-form-urlencoded',\n add_headers:make_array('referer', build_url(port:port, qs:'/login/')),\n data:postdata,\n item:'/login/',\n follow_redirect:1,\n port:port,\n exit_on_fail:TRUE\n);\n\nif (\n 'FortiAuthenticator' >< res[2] &&\n '<span>Administration</span>' >< res[2])\n{\n if (report_verbosity > 0)\n {\n report = '\nNessus was able to gain access using the following information :\n\n URL : '+login_url+'\n User : '+user+'\n Password : <blank>\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, login_url);\n", "naslFamily": "CGI abuses", "pluginID": "81384", "cpe": ["cpe:/a:fortinet:fortiauthenticator"], "scheme": null}