5
CVSSv2

CVE-2018-13379

Published: 04/06/2019 Updated: 19/11/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 518
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated malicious user to download system files via special crafted HTTP resource requests.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

Exploits

# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text # Google Dork: intext:"Please Login" inurl:"/remote/login" # Date: 17/08/2019 # Exploit Author: Carlos E Vieira # Vendor Homepage: wwwfortinetcom/ # Software Link: wwwfortinetcom/products/fortigate/fortioshtml # Version: This vulnerability affect ( For ...
# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text # Google Dork: intext:"Please Login" inurl:"/remote/login" # Date: 17/08/2019 # Exploit Author: Carlos E Vieira # Vendor Homepage: wwwfortinetcom/ # Software Link: wwwfortinetcom/products/fortigate/fortioshtml # Version: This vulnerability affect ( For ...

Mailing Lists

This Metasploit module exploits FortiOS versions 563 through 567 and 600 through 604 to leverage a credential disclosure vulnerability by reading the /dev/cmdb/sslvpn_websession file ...
FortiOS versions 563 through 567 and 600 through 604 suffer from a credential disclosure vulnerability ...

Github Repositories

Extract Useful info from SSL VPN Directory Traversal Vulnerability (FG-IR-18-384)

FG-IR-18-384 (CVE-2018-13379) Exploitation Tool Exploit allowing for the recovery of cleartext credentials This tool is provided for testing purposes only Only run it against infrastructure for which you have recieved permission to test Headnod to those who discovered the exploit, more information by the researcher can be found here: blogorangetw/2019/08/attacking-

CVE-2018-13379-FortinetVPN An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 600 to 604, 563 to 567 and 546 to 5412 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests detect-fortinetsh = Check if the host is running Fortinet VP

FG-IR-18-384 (CVE-2018-13379) Exploitation Tool Exploit allowing for the recovery of cleartext credentials This tool is provided for testing purposes only Only run it against infrastructure for which you have recieved permission to test Headnod to those who discovered the exploit, more information by the researcher can be found here: blogorangetw/2019/08/attacking-

CVE-2018-13379 CVE-2018-13379 Module for Router Scan Project How To Use prepare pip3 install time,threading,ipcalc,requests usage python3 exppy -f [listtxt] Copyright some part of this repository that send tcp response is partly forked from milo2012/CVE-2018-13379 with some changes for APIs of Router Scan Project

Fortinet FortiOS路径遍历漏洞 (CVE-2018-13379)批量检测脚本

使用方法&免责声明 该脚本为Fortinet FortiOS路径遍历漏洞 (CVE-2018-13379)批量检测脚本。 使用方法:Python CVE-2018-13379py urltxt 漏洞地址输出在vultxt中 影响版本: Fortinet FortiOS 563 - 567、600 - 604 版本中的SSL VPN 受此漏洞影响。 漏洞源于该系统未能正确地过滤资源或文件路径中的

CVE-2018-13379 Script for Nmap NSE.

cve2018-13379-nmap-script CVE-2018-13379 Script for Nmap NSE

CVE-2018-13379-FortinetVPN An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 600 to 604, 563 to 567 and 546 to 5412 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests

CVE-2018-13379 Exploit

FortiOS-Credentials-Disclosure CVE-2018-13379 Exploit Usage : python CVE-2018-13379py listtxt

Fortiscan (CVE-2018-13379) Exploitation Tool You can use this tool to check the vulnerability in your FortiGate SSL-VPN service wwwfortiguardcom/psirt/FG-IR-18-384

Archiving Leaked samples from Different sources for Different Uses

Vault6 SunBurst : FireEye Tools Supernova_webshell_backdoor APT_Dropper APTs Android Malware Collection : Anubis Source Dendroid Source Leaks : Readmetxt (Mega/Torrent Linksfiles) WinXp_Source WinServer_Source Intel_Leak Nissan_Leak CVE-2018-13379

-Infiltration-summary 平时工作总结 navicat连接本地mysql数据库 ALTER USER 'root'@'localhost' IDENTIFIED BY 'password' PASSWORD EXPIRE NEVER; ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password'; 远控学习:githubcom/TideSec/BypassAntiVirus 轻型目录访问协议

Fortigate VPN: CVE-2018-13379: Pre-auth arbitrary file reading En el año 2019 se notificaron de vulnerabilidades a los productos de la empresa Fortinet, reportados por los investigadores niph_ y ramoliks los cuales fueron los CVE: CVE-2018-13379: Pre-auth arbitrary file reading CVE-2018-13380: Pre-auth XSS CVE-2018-13381: Pre-auth heap overflow CVE-2018-13382: The magic

A curated list of my functional exploits...

Public-Exploits A curated list of my functional exploits About Public exploits (re)writed for learning purpose or pentesting / red teaming assessments Contents Centreon Centreon Web CVE-2015-1560, CVE-2015-1561 | Centreon Web Time-Based Blind SQLi to RCE Fortinet Fortigate CVE-2018-13379 | Fortigate SSL-VPN Credentials Stealer CVE-2018-13382 | Fortigate SSL-VPN

Dorks for Google, Shodan and BinaryEdge

Dorks are cool Dorks for Google, Shodan and BinaryEdge Only for use on bug bounty programs or in cordination with a legal security assesment I am in no way responsible for the usage of these search queries Be responsible thanks - wwwbugcrowdcom/resource/what-is-responsible-disclosure/ This repository is "under construction" feel free to make pull requests

A curated list of my functional exploits...

Public-Exploits A curated list of my functional exploits About Public exploits (re)writed for learning purpose or pentesting / red teaming assessments Contents Centreon Centreon Web CVE-2015-1560, CVE-2015-1561 | Centreon Web Time-Based Blind SQLi to RCE Fortinet Fortigate CVE-2018-13379 | Fortigate SSL-VPN Credentials Stealer CVE-2018-13382 | Fortigate SSL-VPN

CVEs enumerated by FireEye and that should be addressed to limit the effectiveness of leaked the Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

Dataset info & mapping In this repository we provide a full list of all events that were included in the Dataset, and provide the event mappings to expert rules for both the AlienVault and Sigma rules Overview This repository contains the following: eventstxt, a txt file listing all events This full list is also shown in the Section Events below mappings, a direct

vFeed CVEs Vulnerability Indicators that should be addressed to limit the effectiveness of the Leaked FireEye Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Forti

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

Community curated list of template files for the nuclei engine to find security vulnerability and fingerprinting the targets.

Templates are the core of nuclei scanner which power the actual scanning engine This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community We hope that you also contribute by sending templates via pull requests and grow the list Template Directory ├── LICENSE ├── READMEmd ├── basic-dete

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

Customized templates originally pulled from `projectdiscovery/nuclei-templates`

Nuclei Templates Templates are the core of nuclei scanner which power the actual scanning engine This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community We hope that you also contribute by sending templates via pull requests or Github issue and grow the list Resources Templates Documentation Contr

2020年发布到阿尔法实验室微信公众号的所有安全资讯汇总

欢迎关注阿尔法实验室微信公众号 20201231 [漏洞] 2020年增加的10个最严重的CVE blogdetectifycom/2020/12/30/top-10-critical-cves-added-in-2020/ Chromium RawClipboardHostImpl中的UAF漏洞 bugschromiumorg/p/chromium/issues/detail?id=1101509 [工具] Sarenka:OSINT工具,将来自shodan、censys等服务的数据集中在一处

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr

Recent Articles

Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks
Threatpost • Elizabeth Montalbano • 08 Apr 2021

Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.
Researchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as CVE-2018-13379, in Fortinet’s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a report by Kaspersky researchers published this week.
“...

New Cring ransomware hits unpatched Fortinet VPN devices
BleepingComputer • Sergiu Gatlan • 07 Apr 2021

A vulnerability impacting Fortinet VPNs is being exploited by a new human-operated ransomware strain known as Cring to breach and encrypt industrial sector companies' networks.
 (also known as Crypt3r, Vjiszy1lo, Ghost, Phantom) was 
 by Amigo_A in January and 
 by the CSIRT team of Swiss telecommunications provider Swisscom.
The Cring operators drop customized Mimikatz samples, followed by CobaltStrike after gaining initial access and deploy the ransomware payloads ...

FBI: APTs Actively Exploiting Fortinet VPN Security Holes
Threatpost • Tara Seals • 02 Apr 2021

The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company’s SSL VPN products.
According to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are ...

FBI and CISA warn of state hackers attacking Fortinet FortiOS servers
BleepingComputer • Sergiu Gatlan • 02 Apr 2021

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn of advanced persistent threat (APT) actors targeting Fortinet FortiOS servers using multiple exploits.
In the Joint Cybersecurity Advisory (CSA) published today, the agencies warn admins and users that the state-sponsored hacking groups are actively exploiting Fortinet FortiOS vulnerabilities
,
, and
.
The attackers are enumerating servers unpatched...

Passwords exposed for almost 50,000 vulnerable Fortinet VPNs
BleepingComputer • Ax Sharma • 25 Nov 2020

A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs.
Over the weekend a hacker had posted a list of
 for CVE-2018-13379 to steal VPN credentials from these devices, as reported by BleepingComputer.
Present on the list of vulnerable targets are domains belonging to high street banks, telecoms, and government organizations from around the world.
The exploitation of critical FortiOS vulnerability CVE-2018-13379 lets an attacker access ...

Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs
BleepingComputer • Ax Sharma • 22 Nov 2020

A hacker has posted a list of one-line exploits to steal VPN credentials from almost 50,000 Fortinet VPN devices.
Present on the list of vulnerable targets are domains belonging to high street banks and government organizations from around the world.
The vulnerability being referred to here is CVE-2018-13379, a path traversal flaw impacting a large number of unpatched FortiNet FortiOS SSL VPN devices.
By exploiting this vulnerability, unauthenticated remote attackers can a...

Attackers chain Windows, VPN flaws to target US government agencies
welivesecurity • 13 Oct 2020

Threat actors have been chaining vulnerabilities in Windows and Virtual Private Network (VPN) services to target various government agencies, critical infrastructure and election organizations, according to a warning by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI). The technique, which involves exploiting several flaws over the course of a single attack to infiltrate an organization’s network, is part of the gangs’ ram...

Election Systems Under Attack via Microsoft Zerologon Exploits
Threatpost • Lindsey O'Donnell • 13 Oct 2020

U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft’s severe privilege-escalation flaw, dubbed “Zerologon,” to target elections support systems.
Days after Microsoft sounded the alarm that an Iranian nation-state actor was actively exploiting the flaw (CVE-2020-1472), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.

Iranian hackers are selling access to corporate networks
BleepingComputer • Sergiu Gatlan • 01 Sep 2020

An Iranian-backed hacker group has been observed while seeking to sell access to compromised corporate networks to other threat actors on underground forums and attempting to exploit F5 BIG-IP devices vulnerable to CVE-2020-5902 exploits.
The Iranian hackers have been active since at least 2017 and are being tracked as Pioneer Kitten by cyber-security firm Crowdstrike, as Fox Kitten [
,
] by threat intelligence firm ClearSky, and as
[
,
] by ICS security f...

Hackers Look to Steal COVID-19 Vaccine Research
Threatpost • Tara Seals • 16 Jul 2020

Threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.
That’s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE),  issued Thursday.
The 14-page advisory details the recent activity of Russi...

NSA releases guidance on securing IPsec Virtual Private Networks
BleepingComputer • Sergiu Gatlan • 02 Jul 2020

The US National Security Agency (NSA) has published guidance on how to properly secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks.
Besides providing organizations with recommendations on how to secure IPsec tunnels, NSA's VPN guidance also highlights the importance of using strong cryptography to protect sensitive info contained within traffic while traversing untrusted networks when connecting to remote servers.
Following these recommendations...

APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn
Threatpost • Elizabeth Montalbano • 08 Oct 2019

State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.
The National Security Agency (NSA) issued a Cybersecurity Advisory Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August–C...

Hackers used VPN flaws to access US govt elections support systems
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

Government-backed hackers have compromised and gained access to US elections support systems by chaining together VPN vulnerabilities and the recent Windows CVE-2020-1472 security flaw.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says that advanced persistent threat (APT) actors used this vulnerability chaining tactic to target federal and SLTT (state, local, tribal, and territorial) government networks, as well as election organizations, and critical infrastructure....

The Register

If you're wondering which bugs in particular miscreants are exploiting to break into, or attempt to break into, US government networks, wonder no more. And then make sure you've patched them.
Uncle Sam's Dept of Homeland Security has this month identified at least six possible routes into the nation's computer systems, and the method used to gain total control over the machines once inside. Those six vulnerabilities are...
...plus CVE-2020-1472, aka ZeroLogon, in Microsoft Windows, w...

The Register

in Brief It was a tsunami of DNS queries that ultimately took out a host of Microsoft services, from Xbox Live to Teams, for some netizens about an hour on April Fools' Day, Redmond has said.
Or as the Windows giant put it, the outage was the result of "an anomalous surge in DNS queries from across the globe targeting a set of domains hosted on Azure." In a postmortem examination of the downtime, Microsoft said the flood of requests triggered a programming flaw in its infrastructure that h...