Fortinet Fortigate RCE (CVE-2023-27997)

[jheysel-r7]

Summary

Write a module to exploit CVE-2023-27997

Basic example

https://github.com/lexfo/xortigate-cve-2023-27997

Motivation

As of this morning there were still 330,000 unpatched instances on the internet. Currently being exploited.
https://thehackernews.com/2023/07/alert-330000-fortigate-firewalls-still.html

[jvoisin]

Yay, public exploit available: https://github.com/lexfo/xortigate-cve-2023-27997

[jheysel-r7]

Yay, public exploit available: https://github.com/lexfo/xortigate-cve-2023-27997

Thanks for the heads up @jvoisin! I'll get started on this today :)

[jheysel-r7]

Super cool exploit although I'm going to unassign myself pivot to work on something else for the time being.
Reasoning:

• Only HTTP works over the free version so you need a license to enable HTTPS / setup the SSL VPN component.
• I could only get a copy of a licensed 64-bit Intel appliance setup locally.
• I was unable to find a way to transfer files to and from the device due to the limited shell FortiGate provides.
• So was unable to upload a debugger to try and figure out how we might convert the PoC written for 32-bit ARM appliance over to a working exploit for the 64-bit appliance I had.
• Amazon has a 64-bit ARM AMI but no 32-bit ARM AMI unfortunately.
• The original blog post talks about how they had a 64-bit intel appliance to test on as well although their real world red team target was a 32-bit ARM appliance. Would it even be worth writing a module for 64-bit intel if most real world appliances are ARM?

If anything changes an we're able to run get the necessary targets that would enable us to run PoC on what we believe to be a reasonable subset of real world Fortigate architectures, I'd be happy to write a module for this.