piątek, 13 września 2019

Crashing FortiGate VM 6.2.1 - httpd

After (some about) 6-8 months today I finally found a moment to go back to the idea I discussed with a friend ('Ścisła Dieta Homarowa' aka. 'Tylko homary Team' ;)) and "check those VM image(s) for (few) popular 'network appliances'". That's how I tried to play with my good old friend - Fortinet. :) Here we go...
"Is everybody on the floor?" ;]

We will start here:

The idea was simple:
- find working appliance (for Virtualbox/VMware Workstation Player - I used version 15)
- run appliance (and log in to the webapp)
- do a blackbox pentest

Easy like that, right? ;)

So I started from registering my new account on Fortinet Support page. Next I traveled to download section to find the latest image (prepared for ESXi). Next thing was to open VMware Player (File->Open) and choose the file (we extracted - I used vmnet3). Start the machine...

... and press Fn+F2 (in my case) to go to BIOS. ;) Now, you need to change the date (from current date to the day before). Save it (F10) and reboot VM.

Now we are ready to start (login as admin without password, you'll be asked to set one).

We should be somewhere here:

To avoid 'connection reset' (or timeout) during my blackbox pentest ;) I decided to set a static IP in FortiGateVM:

During my fuzzing adventures I found that there is a hint in the appliance called 'log section' ;]

I decided to check it for more details. And here we are:

This is very interesting information, isn't it? ;D

My next question (to my Burp Proxy and tabs-of-Intruders-team) was: what was the request to crash the http(s)d?

Ok, it should be enough to verify the bug:

Results (from Logs tab):

One more thing...

So... :)

I think that NOW is the good time to contact with the Vendor and ask for a help/updates.

At this point I would like to thank FortiGuard PSIRT for help and all the hints during 'responsible disclosure'. It was a pleasure.

Bug was found 09.09.2019 and after initial contact with the Vendor I decided to publish the details after 5 days. In the meantime it looks like I found another place in the app when user can send malicious request to crash httpsd server. Let's try:

Results available in the appliance:

Full request for 2nd bug:

Skeleton of the poc (for 2nd bug) can be found here.

Let me know what do you think about it.
In case of any questions/comments - you know how to find me. ;)

See you next time!


Brak komentarzy:

Prześlij komentarz