Yet again, all your creds are belong to us! 😉
A path traversal vulnerability in the Fortigate SSL-VPN web portal allows an unauthenticated attacker to leak users web sessions credentials. Work only if SSL-VPN service ("web-mode" or "tunnel-mode") is enabled.
- Orange Tsai (@orange_8361) - DEVCORE
- Meh Chang (@mehqq) - DEVCORE
- FortiOS 5.4.6 to 5.4.12
- FortiOS 5.6.3 to 5.6.7
- FortiOS 6.0.0 to 6.0.4
- DEVCORE Blog - Breaking the Fortigate SSL-VPN
- Blackhat USA 2019 - Infiltrating Corporate Intranet Like NSA
May 24th, 2019
intitle:"Please Login" intext:"Please Login" inurl:"/remote/login"
$ python CVE-2018-13379.py -r <RHOST> -p <RPORT>
$ python CVE-2018-13379.py -r 192.168.0.2 -p 443
- FortiOS 5.4.6
- FortiOS 5.6.5
- FortiOS 6.0.0
- FortiOS 6.0.2
Upgrade FortiOS.
Disable the SSL-VPN service (both "web-mode" and "tunnel-mode").
Usage is provided under the WTFPL license.
See LICENSE for the full details.