CVE-2018-13379 PoC — Fortinet FortiOS 路径遍历漏洞

Source

https://github.com/jpiechowka/at-doom-fortigate

Associated Vulnerability

Title:Fortinet FortiOS 路径遍历漏洞 (CVE-2018-13379)
Description:An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Description

Fortigate CVE-2018-13379 - Tool to search for vulnerable Fortigate hosts in Rapid7 Project Sonar data anonymously through The Tor network.

Readme

# At Doom Fortigate

```
 	

=================     ===============     ===============   ========  ========
\\ . . . . . . .\\   //. . . . . . .\\   //. . . . . . .\\  \\. . .\\// . . //
||. . ._____. . .|| ||. . ._____. . .|| ||. . ._____. . .|| || . . .\/ . . .||
|| . .||   ||. . || || . .||   ||. . || || . .||   ||. . || ||. . . . . . . ||
||. . ||   || . .|| ||. . ||   || . .|| ||. . ||   || . .|| || . | . . . . .||
|| . .||   ||. _-|| ||-_ .||   ||. . || || . .||   ||. _-|| ||-_.|\ . . . . ||
||. . ||   ||-'  || ||  `-||   || . .|| ||. . ||   ||-'  || ||  `|\_ . .|. .||
|| . _||   ||    || ||    ||   ||_ . || || . _||   ||    || ||   |\ `-_/| . ||
||_-' ||  .|/    || ||    \|.  || `-_|| ||_-' ||  .|/    || ||   | \  / |-_.||
||    ||_-'      || ||      `-_||    || ||    ||_-'      || ||   | \  / |  `||
||    `'         || ||         `'    || ||    `'         || ||   | \  / |   ||
||            .===' `===.         .==='.`===.         .===' /==. |  \/  |   ||
||         .=='   \_|-_ `===. .==='   _|_   `===. .===' _-|/   `==  \/  |   ||
||      .=='    _-'    `-_  `='    _-'   `-_    `='  _-'   `-_  /|  \/  |   ||
||   .=='    _-'          `-__\._-'         `-_./__-'         `' |. /|  |   ||
||.=='    _-'                                                     `' |  /==.||
=='    _-'                                                            \/   `==
\   _-'                                                                `-_   /
 `''                                                                      ``'
  
```

Tool to search for vulnerable Fortigate hosts in Rapid7 Project Sonar data anonymously through The Tor network.

### CVE-2018-13379

More infomration on Orange Tsai's Blog: https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html

### How to use
1. Visit https://youtu.be/q657rEkgfKs
2. Download Rapid7 data in json format for port 10443 from https://opendata.rapid7.com/sonar.https/
3. Place json file in /data directory (or configure input path in config.go file and recompile)
4. Download and run Tor Browser
5. Run app
6. Profit (see results.txt output file or configure output file path in config.go and recompile)

### Building from source code
To build from source execute the commands below (Go needs to be installed and properly configured, see https://golang.org/doc/install)

```
git clone https://github.com/jpiechowka/at-doom-fortigate.git
cd at-doom-fortigate
go build -v -a .
```

File Snapshot


 [4.0K]  /data/pocs/6ad6342e23ec55ad5757b964cf681988218414b1
├── [4.0K]  config
│   └── [1.0K]  config.go
├── [4.0K]  doom
│   ├── [ 965]  cleaner.go
│   ├── [ 909]  gatling.go
│   └── [ 534]  pipeline.go
├── [4.0K]  files
│   ├── [ 871]  json.go
│   ├── [1.1K]  reader.go
│   └── [1.6K]  writer.go
├── [ 111]  go.mod
├── [1.0K]  LICENSE
├── [4.0K]  logging
│   └── [ 213]  errors.go
├── [ 289]  main.go
├── [4.0K]  networking
│   ├── [2.7K]  http.go
│   ├── [ 190]  model.go
│   └── [ 826]  tor.go
└── [2.4K]  README.md

5 directories, 15 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!