piątek, 14 lutego 2020

Escaping from the Fort - quick CVE-2017-14187 autopsy

I don't know how many times I was wondering how can I get a binary of httpsd from the Fortinet device(s). Last time I tried again using some 'new approach'. ;) Below you will find few notes. Here we go...

This time we will start here:

Reading the note in advisory we can see that there is a 'way' to run 'our binary from the USB'.
(Not so many) more details you can also find here.

I decided to try to run some other binary ;] To do that I used GNS3 and VMPlayer. Both 'ways' should be fine to 'run your fortinet lab environment' ;) In the end I decided to use VMPlayer.

When your internet connection (on VM) is working, you allowed to connect to it via specific protocols, now it's the time to move forward.

We should be able to login in as 'admin' so next thing will be: run 'our command' ;)

(Here or here you will find few more detailed hints about it. ;))


(At this stage I was still trying to get 'a VM image that contains fnsysctl'. I did not realised that this command was removed in the 'latest version of image' I had. So I continued with multple images until I found 'the command' ;] on one 5.x VM I tried. Then I prepared internet connection. ;))

So for "more":

Great! It works! ;D

So now my idea was easy: get a full working shell on remote Fortigate VM. Simple? ;>

So let's do a quck wget/less/more/nmap/nc/GET - whatever you want to get this 'working shell' ;)


Interestingly:

So as you will see there are something like 3-4 different binary files.

My next guess was:
- if I can use some basic *nix commands and...
- if I can list webroot...
- maybe I can simply copy the binary from /bin/ directory to /webdirectory? ;)

Let's try:


Ok, but I AM 'super admin', right? Yes but no. ;]


Right. :) So:


Cool, now we can proceed:


Let's start from something easy:



Checking:


Very nice :) Maybe now I'll find the time to go back here or here for more details. ;)

Anyway - the same can be done with the whole source code of webapp:


It should be easier to read web source with jsbeutify (apt get on Kali):


That's all for now. ;)

My previous notes about Fortinet you can find here: [1, 2, 3].

Happy Valentine's Day and see you next time! ;)

Cheers


 





Brak komentarzy:

Prześlij komentarz