We’ll start with more Black Hat/DEFCON news. [Meh Chang] and [Orange Tsai] from Devcore took a look at Fortinet and Pulse Secure devices, and found multiple vulnerabilities. (PDF Slides) They are publishing summaries for that research, and the summary of the Fortinet research is now available.
It’s… not great. There are multiple pre-authentication vulnerabilities, as well as what appears to be an intentional backdoor.
CVE-2018-13379 abuses an snprintf
call made when requesting a different language for the device login page. Snprintf
is an alternative to sprintf
, but intended to prevent buffer overflows by including the maximum string length to write to the target buffer, which sounds like a good idea but can lead to malicious truncation.
The code in question looks like snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);
.
When loading the login page, a request is made for a language file, and the file is sent to the user. At first look, it seems that this would indeed limit the file returned to a .json file from the specified folder. Unfortunately, there is no further input validation on the request, so a language of ../../arbitrary
is considered perfectly legitimate, escaping the intended folder. This would leak arbitrary json files, but sincesnprintf
doesn’t fail if it exceeds the specified length, sending a request for a lang that’s long enough results in the “.json” extension not being appended to the request either.
A metasploit module has been written to test for this vulnerability, and it requests a lang of /../../../..//////////dev/cmdb/sslvpn_websession
. That’s just long enough to force the json extension to fall off the end of the string, and it is Unix convention is to ignore the extra slashes in a path. Just like that, the Fortigate is serving up any file on its filesystem just for asking nice.
More worrying than the snprintf
bug is the magic value that appears to be an intentional backdoor. A simple 14 character string sent as an http query string bypasses authentication and allows changing any user’s password — without any authentication. This story is still young, it’s possible this was intended to have a benign purpose. If it’s an honest mistake, it’s a sign of incompetence. If it’s an intentional backdoor, it’s time to retire any and all Fortinet equipment you have.
Pulse Secure VPNs have a similar pre-auth arbitrary file read vulnerability. Once the full report is released, we’ll cover that as well.
Exploitation in the Wild
But wait, there’s more. Hide your kids, hide your wife. Webmin, Pulse Secure, and Fortigate are already being exploited actively in the wild, according to ZDNet. Based on reports from Bad Packets, the Webmin backdoor was being targeted in scans within a day of announcement, and exploited within three days of the announcement. There is already a botnet spreading via this backdoor. It’s estimated that there are around 29,000 vulnerable Internet-facing servers.
Both Pulse Secure and Fortinet’s Fortigate VPN appliances are also being actively targeted. Even though the vulnerabilities were reported first to the vendors, and patched well in advance of the public disclosure, thousands of vulnerable devices remain. Apparently routers and other network appliance hardware are fire-and-forget solutions, and often go without important security updates.
VLC is Actually Vulnerable This Time
The VLC media player has released a new update, fixing 11 CVEs. These CVEs are all cases of mishandling malformed media files, and are only exploitable by opening a malicious file with VLC. Be sure to go update VLC if you have it installed. Even though no arbitrary code execution has been demonstrated for any of these issues, it’s likely that it will eventually happen.
Gray Market IP Addresses
With the exhaustion of IPv4 addresses, many have begun using alternative methods to acquire address space, including the criminal element. Krebs on Security details his investigation into one such story: Residential Networking Solutions LLC (Resnet). It all started with an uptick in fraudulent transactions originating from Resnet residential IP addresses. Was this a real company, actually providing internet connectivity, or a criminal enterprise?
Devcore’s slides are amazing, go read that PDF
Obfuscated magic string in the slides is almost readable: 4tinet2C953666 maybe?
It’s “almost readable” by humans – a simple pattern-matching algorithm would be able to figure that one out in a heartbeat. What exactly was the point of doing that?
regarding the Krebs site:
Too bad our elected “leaders” will never grow a spine and tell AT&T, etc, to simply stop leasing network access to the bad actors.
So many robocalls and scammers could be eliminated -IF- we simply stopped allowing the network companys to play both sides against each other.
As long as their business model is allowed to remain as
Renting the bulk access to nuisance actors and then clipping the rest of us $10~$20 (per month) for, essentially useless, “call blocking” and caller I.D.,
then we’ll never be rid of this crap.
Most people don’t even know about things like Five Eyes, let alone that VPN services are often owned and managed by venture capitalist types who contract out network and security engineering to whoever has the lowest bid in India or the Middle East..
If you’re not using a pinned cert and HTHS they can also MITM TLS. Most banks and casinos don’t even have pinned certs they are just protected by the OS root store..
cont. The tables have turned… Windows 10 has virtualization and TPM based security and hardened Linux distros just have jail-policies and weak GCC options..
Pardon my ignorance but this line “• We are not hardware guys :(” in the PDF :
I always assumed that a good or a at least a decent level hacker (or infosec expert) needed to have a good knowledge about hardware….