Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

WatchTowr monitors and protects various clients as a service. Fortinet had a nasty vulnerability in FortiManager, leading to many users getting popped. To fully understand the vulnerability, the authors decided to setup a lab environment to play around with this. In the process of doing this, they found even more bugs.

FortiManager is the tool for administrating Fortigate devices. FortiManager communicates to the devices using the FortiGate-To-FortiManager (FGFM) protocol. This runs over TCP and is tunneled over TLS. The authors were messing around with this and trying to create their own client. The binary fgfmsd contained functionality for decoding the protocol and creating packets for it.

put_json_cmd had a large amount of functionality and things that it could do. They say that " vulnerabilities often congregate around functional boundaries, as one side of the RPC interface often makes differing assumptions about the obligations of its counterpart" which I believe is really true. It's a good place to look for bugs for sure.

On the FortiManager side, they reverse-engineered the handler for this function. While looking in there, they found a trivial command injection and multiple arbitrary file writes. Since they found the sink first, they had to reverse engineer the source to trigger the functionality. After some time, they figured this out.

This wasn't the vulnerability that was being exploited though! Will binary diffing, there are several other command injections being exploited.

They also release a full proof of concept and how to work around Mandiants indicators of compromise. To me, this is unnecessary and doesn't help anyone besides threat actors. There are ways to write a test that your vulnerable binary without doing a full exploit. Additionally, posting workarounds with Indicators of Compromise (IoCs) doesn't serve much purpose for resolving this issue either.

I think the story and the vulnerability are fun. However, I didn't like the tone of the article very much. Although I'm slightly exaggerating the tone felt like, "These people are idiots, and we're so smart." At the end of the day, security researchers are trying to help vendors, so we should act this way. Companies make mistakes in their security, and we should help improve that in a non-condescending way.