A really funny crafted HTTP request! 😀
An improper authorization vulnerability in the SSL-VPN web portal may allow an unauthenticated attacker to change the password of a SSL-VPN web portal user via specially crafted HTTP requests. Work only if the SSL-VPN service ("web-mode" or "tunnel-mode") is enabled and users with local authentication are affected, SSL-VPN web portal users with remote authentication like LDAP or RADIUS are not impacted.
- Orange Tsai (@orange_8361) - DEVCORE
- Meh Chang (@mehqq) - DEVCORE
- FortiOS 5.4.1 to 5.4.10
- FortiOS 5.6.0 to 5.6.8
- FortiOS 6.0.0 to 6.0.4
- DEVCORE Blog - Breaking the Fortigate SSL-VPN
- Blackhat USA 2019 - Infiltrating Corporate Intranet Like NSA
- Medium - Valeriy Shevchenko: Critical vulnerabilities in Pulse Secure and Fortinet SSL VPNs in the Wild Internet
- Twitter - Code White GmbH (@codewhitesec)
- Github - openfortivpn (Issue #348): Include a delay when sending the OTP
- Github - openfortivpn (Issue #427): One-time password prompt problem
May 24th, 2019
intitle:"Please Login" intext:"Please Login" inurl:"/remote/login"
$ python CVE-2018-13382.py -r <RHOST> -p <RPORT> -u <LOCAL_USERNAME>
$ python CVE-2018-13382.py -r 192.168.0.2 -p 443 -u user1
- FortiOS 5.4.6
- FortiOS 5.6.5
- FortiOS 6.0.0
- FortiOS 6.0.2
Upgrade FortiOS.
Migrate SSL-VPN user authentication from local to remote (LDAP or RADIUS) or totally disable the SSL-VPN service (both "web-mode" and "tunnel-mode").
Usage is provided under the WTFPL license.
See LICENSE for the full details.