FortiOS Path Traversal

Returning community contributor mekhalleh submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in plaintext on the file system. This vulnerability is identified as CVE-2018-13379 and can be reliably exploited remotely, without any authentication. Despite the fact that the vulnerability is several years old, CVE-2018-13379 is still known to be exploited in the wild, including in state-sponsored attacks targeting U.S. government agencies and infrastructure.

Additional Module Updates

Two modules received improvements to their targeting capabilities. The ever-popular exploit for MS17-010 was updated by zerosum0x0 (one of the original authors) with an updated fingerprint for properly targeting Windows Storage Server 2008. This allows the exploit module to be used against affected versions of that Server 2008 variant. Additionally, a KarjaSoft Sami FTP exploit was updated by long-time community contributor bcoles who made a number of improvements to it but notably updated the exploit to only rely on an offset within a DLL that is distributed with the vulnerable software. When memory corruption exploits need the address of a POP, POP, RET instruction (as this one does for the SEH overwrite), they are more reliable when referencing one that is distributed with the software and won’t change, unlike libraries that come with the host operating system and are regularly updated.

New Modules (1)

  • FortiOS Path Traversal Credential Gatherer by lynx (Carlos Vieira) and mekhalleh (RAMELLA Sébastien), which exploits a directory traversal vulnerability (CVE-2018-13379) in the SSL VPN web portal of FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 to grab the /dev/cmdb/sslvpn_websession file, containing the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to the creds database for use in future attacks.

Enhancements and features

  • #14783 from bcoles The KarjaSoft Sami FTP Server v2.0.2 USER Overflow module has been updated with documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation, instead of relying on an Windows OS DLL whose offsets could change as the OS was updated.
  • #14838 from zerosum0x0 The psexec_ms17_010.rb library has been updated to support additionally fingerprinting Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.

Bugs Fixed

  • #14816 from dwelch-r7 Ensures that the Faker library is always available for use within modules when generating fake data for bypassing WAF etc.
  • #14821 from space-r7 The search command within Meterpreter has had its logic updated to support searches that start at the root directory, aka /. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.
  • #14840 from dwelch-r7 Removes require rex/ui statement that prevented execution of msfrpc.
  • #14843 from dwelch-r7 With the upgrade to zeitwerk in Metasploit, PseudoShell was not being picked up appropriately, resulting in some modules and tools not being able to load it when needed. A fix has now been applied to make sure that PseudoShell can be appropriately loaded by zeitwerk to prevent missing dependency issues.
  • #14853 from adfoster-r7 Fixes an edge case when upgrading from an older version of Metasploit to Metasploit 6.0.32 when using the Mac Metasploit Omnibus installer directly or indirectly via Brew

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).