The original article can be found here.
Fortigate SSL VPN is susceptible to a major vulnerability, **CVE-2018-13379, ** that you need to know about.
Fortigate SSL VPN is the most popular remote access way for enterprise users!
**The article points out that if users compare to the site-to-site VPN such as the IPSEC and PPTP, SSL VPN is more easy to use and compatible with any network environments. **
The article adds that, what if this trusted equipment is insecure? It is an important corporate asset but a blind spot of corporation. According to a survey on Fortune 500, the Top-3 SSL VPN vendors dominate about 75% market share. The diversity of SSL VPN is narrow.
Therefore, once we find a critical vulnerability on the leading SSL VPN, the impact is huge.
Fortigate SSL VPN.
The article adds that Fortinet calls their SSL VPN product line as Fortigate SSL VPN, which is prevalent among end users and medium-sized enterprise.
There are more than 480k servers operating on the internet and is common in Asia and Europe. We can identify it from the URL /remote/login.
All-in-one binary.
** The author of the article pointed out that the company started its research from the file system. We tried to list the binaries in /bin/ and found there are all symbolic links, pointing to /bin/init. **
Fortigate compiles all the programs and configurations into a single binary, which makes the init really huge. It contains thousands of functions and there is no symbol! It only contains necessary programs for the SSL VPN, so the environment is really inconvenient for hackers. For example, there is even no /bin/ls or /bin/cat!
Web daemon.
**The article pointed out that there are 2 web interfaces running on the Fortigate. One is for the admin interface, handled with /bin/httpsd on the port 443. **
The other is normal user interface, handled with /bin/sslvpnd on the port 4433 by default. Generally, the admin page should be restricted from the internet, so we can only access the user interface.
The article added that through their investigation, they found the web server is modified from apache, but it is the apache from 2002. Apparently they modified apache in 2002 and added their own additional functionality. We can map the source code of apache to speed up our analysis.
In both web service, they also compiled their own apache modules into the binary to handle each URL path. We can find a table specifying the handlers and dig into them!
WebVPN.
**The article points out that WebVPN is a convenient proxy feature which allows us connect to all the services simply through a browser. **
It supports many protocols, like HTTP, FTP, RDP. It can also handle various web resources, such as WebSocket and Flash. To process a website correctly, it parses the HTML and rewrites all the URLs for us. This involves heavy string operation, which is prone to memory bugs.
Vulnerabilities.
The authors of the article found several vulnerabilities:
- CVE-2018-13379: Pre-auth arbitrary file reading
While fetching corresponding language file, it builds the json file path with the parameter lang:
- CVE-2018-13381: Pre-auth heap overflow
While encoding HTML entities code, there are 2 stages. The server first calculate the required buffer length for encoded string. Then it encode into the buffer. In the calculation stage, for example, encode string for < is < and this should occupies 5 bytes. If it encounter anything starts with &#, such as <, it consider there is a token already encoded, and count its length directly.
CVE-2018-13382: The magic backdoor.
The article pointed out that in the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.
The article added that according to their survey, there are still plenty of Fortigate SSL VPN lack of patch. Therefore, considering its severity, we will not disclose the magic string. However, this vulnerability has been reproduced by the researcher from CodeWhite. It is surely that other attackers will exploit this vulnerability soon! Please update your Fortigate ASAP!
CVE-2018-13383: Post-auth heap overflow.
The article pointed out that this is a vulnerability on the WebVPN feature. While parsing JavaScript in the HTML, it tries to copy content into a buffer with some dodgy code**
The buffer size is fixed to 0x2000, but the input string is unlimited. Therefore, here is a heap overflow. It is worth to note that this vulnerability can overflow Null byte, which is useful in our exploitation.
To trigger this overflow, we need to put our exploit on an HTTP server, and then ask the SSL VPN to proxy our exploit as a normal user.
CVE-2018-13381.
**The authors of the article pointed out that their first attempt is exploiting the pre-auth heap overflow. However, there is a fundamental defect of this vulnerability – It does not overflow Null bytes. **
The article adds that, in general, this is not a serious problem. The heap exploitation techniques nowadays should overcome this. However, we found it a disaster doing heap feng shui on Fortigate. There are several obstacles, making the heap unstable and hard to be controlled.
Single thread, single process, single allocator.
The article points out that the web daemon handles multiple connection with epoll(), no multi-process or multi-thread, and the main process and libraries use the same heap, called JeMalloc. It means, all the memory allocations from all the operations of all the connections are on the same heap. Therefore, the heap is really messy.
Operations regularly triggered.
The article adds that this interferes the heap but is uncontrollable. We cannot arrange the heap carefully because it would be destroyed.**
Apache additional memory management.
The memory won’t be free() until the connection ends. We cannot arrange the heap in a single connection. Actually this can be an effective mitigation for heap vulnerabilities especially for use-after-free.
CVE-2018-13379 + CVE-2018-13383.
The article points out that this is a combination of pre-auth file reading and post-auth heap overflow. One for gaining authentication and one for getting a shell.**
Gain authentication.
The article adds that users first use CVE-2018-13379 to leak the session file. The session file contains valuable information, such as username and plaintext password, which let us login easily.**
Timeline
- 11 December, 2018 Reported to Fortinet
- 19 March, 2019 All fix scheduled
- 24 May, 2019 All advisory released
Fix
The only known fix thus far is to upgrade to FortiOS 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above.
We know that this might be difficult to do on your own. CVE-2018-13379 is a major risk, don’t fall prey to this vulnerability. Contact our A Team and let us help you enable secure productivity in your business.