Welcome back, my aspiring cyberwarriors! The cybersecurity industry is dependent upon a few developers to produce routers and VPN’s to keep our data safe. Unfortunately, many of these developers have failed to provide products that have even the most rudimentary cybersecurity best practices. Many of them are like Swiss cheese, full of vulnerability holes that […]
The post VPN Hacking: Authentication Bypass on Fortinet Fortios first appeared on Hackers Arise.
Welcome back, my aspiring cyberwarriors!
The cybersecurity industry is dependent upon a few developers to produce routers and VPN’s to keep our data safe. Unfortunately, many of these developers have failed to provide products that have even the most rudimentary cybersecurity best practices. Many of them are like Swiss cheese, full of vulnerability holes that hackers and state actors are exploiting at will. These devices may be the weakest link in your network!
If the bad actors compromise your VPN/Router, ALL of your data is at risk. Not only is your data at risk, but the bad actors can also use the exploits of your VPN/Router to upload other malicious code such as Ransomware. Among the companies guilty of cybersecurity negligence, Fortinet stands out!
In 2022, a vulnerability was discovered in FortiOS, FortiProxy, and FortiSwitchManager that allows an attacker to bypass authentication and login into the device as admin. Security researchers at Horizon were able to develop a proof of concept to exploit this vulnerability. That what we will be using here.
In this attack, the attacker is capable of uploading their own SSH keys to the Fortinet device via the web server.
Step #1: Attempt to Login to SSH on the Fortinet Device
First, let’s attempt to login into the SSH on the Fortinet device.
As expected, after 3 failed attempts, the SSH application locks us out.
Now, make certain that you create a pair of RSA keys for SSH.
kali > ssh-keygen
As you can see above, our SSH application generated a key pair (private/public) and placed it into a hidden directory /home/kali.ssh/id_ed25519. Your key pair with be different and likely have different file name.
Step #2 Download and Install POC CVE-2022-40684
Thanks to the good people at Horizon.ai, we have a publicly available proof-of-concept (POC) or exploit to compromise this vulnerability
You can find it at https://github.com/horizon3ai/CVE-2022-40684
kali > git clone https://github.com/horizon3ai/CVE-2022-40684
After cloning it into your kali, navigate to the new directory.
To execute this exploit/poc, we simply need to point the exploit towards the target system IP address, define the username you want to exploit in SSH, and send your keyfile for that SSH user to the targeted server such as:
kali > sudo python3 ./CVE-2022-40684 poc.py -t
Now that we have added our key file to the SSH server, we should be able to login as admin with OUR SSH password.
As you can see above, we have successfully logged into the Fortinet device as admin and now have complete control of this device!
We can take a further step and enter the “show” command to display some basic information on this system including the user=admin.
As an attacker, I can now shutdown or reconfigure your device as well as sniff all the traffic across this interface.
Summary
Although VPN’s are marketing to organizations around the globe to keep us safe and secure, the developers of these devices are proven themselves to be unworthy of the trust we place in them. Many of these devices are the weakest link on our network.
Any pentest or cyberwar strategy that does not test the security of these devices is inadequate and insufficient. Attend our upcoming VPN and Router Hacking training to learn the latest techniques for testing and hacking these vulnerable devices!
The post VPN Hacking: Authentication Bypass on Fortinet Fortios first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/vpn-hacking-authentication-bypass-on-fortinet-fortios/