Critical vulnerabilities in Pulse Secure and Fortinet SSL VPNs in the Wild Internet
An SSL VPN is a type of virtual private network that uses the Secure Sockets Layer protocol — or, more often, its successor, the Transport Layer Security (TLS) protocol — in standard web browsers to provide secure, remote-access VPN capability. SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server!
And both main VPN vendor clients was hacked. Pretty interesting chains of vulnerabilities can lead to RCE.
Some of you could be already familiar with such vulnerabilities. It was disclosed on Black Hat conference in Las Vegas from Orange Tsai and his teammate Meh Chang. Here is the full presentation from his research. Also, it was described pretty clear on their blog post. Exploitation part from both vulnerabilities was presented.
Vulnerability in Fortinet product in auth functionality was also discovered from Code White Gmbh at the same time.
Let’s summaries all findings in between both products.
So in Pulse Secure it was discovered(just the most important*):
- CVE-2019–11510 (Pulse_Security_Advisories) — Pre-auth arbitrary file reading
- CVE-2019–11539 (Pulse_Security_Advisories) — Post-auth command injection
In Fortinet's VPN was discovered:
- CVE-2018–13379 (FG-IR-18–384) — Path traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests.
- CVE-2018–13382 (FG-IR-18–389) An Improper Authorization vulnerability in the SSL VPN web portal might allow an unauthenticated attacker to change the password of an SSL VPN web portal user using specially crafted HTTP requests.
As you understand already there is missed main things in the presentation and it was no valid PoC for next week after presentation. But I tried to understand all things and got some results for both VPN Clients.
FortiOS SSL research
It wasn’t hard to understand that FortiOS was vulnerable due Path Traversal with such way with exposed sslvpn_websession
And I found pretty fast exposed credentials on some environments
With “Magic” backdoor it was a bit tricky. But wasn’t that hard. That special key used in a way of resetting a password for a user. We take a look with my friend to the sslvpnd and we found it.
curl -k "https://example.com/remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpnd" > sslvpnd.bin
In the Orange presentation, it was disclosed the first and the last symbol of that magic backdoor “4************6”.
So we just take a look around sslvpnd file and found it from the file: 4tinet2095866.
Also so funny that nobody made some attention on that magic backdoor early from that GitHub issues: One-time password prompt problem, Delay when sending the OTP.
Super interesting to find that backdoor token, when it was already the same issue in Fortinet with hardcoded SSH Login under CVE-2016–1909. Who knows how many hardcoded backdoors still alive in that product ?!
Pulse Secure research
With Pulse Secure it was disclosed path traversal with such example
And we got in response etc/passwd directory content.
There are still thousands of environments which have not been patched with both products (FortiOS, Pulse). And patches have existed for months, for both products, with Pulse releasing its patch in April, and Fortinet in May.
I tried to communicate with some of the companies from the search results (Google, Shodan, ZoomEye) with informing them about a critical issue in their infrastructure. It was around 300 hundred generated emails with trying to make attention on such issue. But nobody replied to me.
In that list, it was Airports, Government Departments, Hospitals, Banks, Gambling companies, International Brands, Information Security Companies (that was funny) and many others.
Seem that some of that did an update when I checked it before publishing that story.
The vulnerabilities are as bad as they can get. And I just wanna wish luck to thous who still vulnerable.
PS: Click 👏 “Clapping Hands” icon if you like this article 😉