Fortinet FortiOS Exploit - CVE-2018-13379

Fortinet FortiOS is a network operating system that supports security solutions offered by Fortinet. The FortiOS SSL VPN web portal (when web-mode or tunnel-mode is enabled) lacks input sanitization for URI query parameters, resulting in the exposure of information from restricted files. To exploit this vulnerability, the attacker creates a malicious HTTP request that includes a URI for an endpoint (/remote/fgt_lang), and a query parameter (lang=...). The query parameter can include a combination of traversal elements (../) and a path for reaching a restricted file. The Fortinet application processes the query parameter as trusted input, reads content from the restricted file, and returns file content to the attacker in the HTTP response. One example of a restricted file that an attacker might target is a web session file. Web session files contain information about authenticated SSL VPN users. The malicious query parameter includes traversal elements, the file path (/dev/cmdb/), and the restricted file name (sslvpn_websession). Sensitive information—such as usernames, plaintext passwords, and source IP addresses—is exposed to the attacker in the HTTP response.