Welcome back, my aspiring cyberwarriors!
The cybersecurity industry is dependent upon a few developers to produce routers and VPN’s to keep our data safe. Unfortunately, many of these developers have failed to provide products that take into account even the most rudimentary cybersecurity practices. Many of them are like Swiss cheese, full of vulnerable holes that hackers and state actors are exploiting at will. These devices may be the weakest link in your network!
If the bad actors compromise your VPN/Router, ALL of your data is at risk. Not only is your data at risk, but the bad actors can also use the exploits of your VPN/Router to upload other malicious code such as ransomware. Among the companies guilty of this cybersecurity negligence, Fortinet stands out!
In 2022, a vulnerability was discovered in FortiOS, FortiProxy, and FortiSwitchManager that allows an attacker to bypass authentication and login into the device as admin. Security researchers at Horizon were able to develop a proof-of-concept (poc) to exploit this vulnerability. We are using that exploit in this tutorial.
In this attack, the attacker is capable of uploading their own SSH keys to the Fortinet device via the web server and then login as admin through SSH.
Step #1: Attempt to Login to SSH on the Fortinet Device
First, let’s attempt to login into the SSH on the Fortinet device.
As expected, after 3 failed attempts, the SSH application locks us out.
Now, make certain that you create a pair of RSA keys for SSH.
kali > ssh-keygen
As you can see above, our SSH application generated a key pair (private/public) and placed it into a hidden directory /home/kali/ssh/id_ed25519. Your key pair with be different and likely have a different file name.
Step #2 Download and Install POC CVE-2022-40684
Thanks to the good people at Horizon.ai, we have a publicly available proof-of-concept (POC) or exploit to compromise this vulnerability
You can find it at https://github.com/horizon3ai/CVE-2022-40684
kali > git clone https://github.com/horizon3ai/CVE-2022-40684
After cloning it into your kali, navigate to the new directory.
To execute this exploit/poc, we simply need to point the exploit towards the target system IP address, define the username you want to exploit in SSH, and send your keyfile for that SSH user to the targeted server such as:
kali > sudo python3 ./CVE-2022-40684 poc.py -t <IP address> –username admin –key-file <ssh key file>
Now that we have added our key file to the SSH server, we should be able to login as admin with OUR SSH password.
As you can see above, we have successfully logged into the Fortinet device as admin and now have complete control of this device!
We can take a further step and enter the “show” command to display some basic information on this system including the “user=admin”.
As an attacker, I can now shutdown or reconfigure your device as well as sniff all the traffic across this interface.
Summary
Although VPN’s are marketing to organizations around the globe to keep us safe and secure, the developers of these devices are proven themselves to be unworthy of the trust we place in them. Many of these devices are the weakest link on our network.
Any pentest or cyberwar strategy that does not test the security of these devices is inadequate and insufficient. Attend our upcoming VPN and Router Hacking training to learn the latest techniques for testing and hacking these vulnerable devices!
