How hackers easily gain access to companies

In this post we are going to show you a real example of how easy it is to gain access to a company. There are of course several other posts that explain how this vulnerability works and how to exploit it, but for us the goal is to show you that this vulnerability is still being exploited and how easy it is to do so.

Some ways hackers can exploit to gain access to companies

  • Exploiting vulnerabilities and Zero days .
  • Exploiting poor employee awareness (Social Engineering).
  • Physical Breach.
  • Password guessing.

The attack way we are going to explain here is exploitation of a vulnerability, the vulnerability we are going to exploit is a Fortigate path traversal vulnerability.

The Fortigate CVE-2018-13379 Vulnerability

The FortiGate vulnerability (CVE-2018-13379) was discovered in 2018. Since the release of the exploit technique, companies world-wide has been breached. It is exploited by utilizing a simple http request that responds with all of the VPN user sessions including the credentials to access the VPN.

Cybia labs conducted a research on this vulnerability in order to check if this vulnerability was still found in the wild. By using masscan together with a custom tool we developed we got a large number of vulnerable hosts world-wide. We then run a reverse-ip query on all of the IPs and discovered that the vulnerable companies was from the defense industry, finance, healthcare and more. The following is a shodan query that you can use in order to detect Fortigate VPNs in the US: country:”US” xxxxxxxx-xxxxx, as shown in the image below:

To check if the Fortigate is vulnerable you can just have to append the following path to the fortigate url /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession, you will then receive the web-sessions of the FortiGate VPN including all the credentials of the VPN users. The following is an example of how these credentials are shown:

It is now easy to gain full access to this network by simply connecting with the VPN credentials. After connecting to the network you can leverage the attack by performing lateral movement, finding internal vulnerable hosts and perform other attack techniques. 

Final Thoughts 

Although this vulnerability was discovered in 2018, and several posts has already been released, it was important for us to write this post in order to show you that thousands of companies are still vulnerable and can easily be hacked. So if you have use Fortigate in your organization we strongly recommend to check the version of it. 

Mitigation Steps

Check the current version of the Fortigate VPN and if it is outdated you should do a update of it, below is an attached video that explains exactly how to do that. Good luck. 

Share This