WebVPN is a convenient proxy feature which allows us connect to all the services simply through a browser.
We can find a table specifying the handlers and dig into them! In both web service, they also compiled their own apache modules into the binary to handle each URL path.
#FORTINET VPN CLIENT DEFAULT PORT CODE#
We can map the source code of apache to speed up our analysis. Apparently they modified apache in 2002 and added their own additional functionality. Through our investigation, we found the web server is modified from apache, but it is the apache from 2002. Generally, the admin page should be restricted from the internet, so we can only access the user interface. The other is normal user interface, handled with /bin/sslvpnd on the port 4433 by default. One is for the admin interface, handled with /bin/httpsd on the port 443. There are 2 web interfaces running on the Fortigate. For example, there is even no /bin/ls or /bin/cat! It contains thousands of functions and there is no symbol! It only contains necessary programs for the SSL VPN, so the environment is really inconvenient for hackers. Just like this:įortigate compiles all the programs and configurations into a single binary, which makes the init really huge. We tried to list the binaries in /bin/ and found there are all symbolic links, pointing to /bin/init. We started our research from the file system. Here is the technical feature of Fortigate: We can identify it from the URL /remote/login. There are more than 480k servers operating on the internet and is common in Asia and Europe. The next article is going to be about Pulse Secure, which is the most splendid one! Stay tuned! Fortigate SSL VPNįortinet calls their SSL VPN product line as Fortigate SSL VPN, which is prevalent among end users and medium-sized enterprise. Is that true? As a myth buster, we took on this challenge and started hacking Fortinet and Pulse Secure! This story is about hacking Fortigate SSL VPN. It seems like Fortinet and Pulse Secure are the most secure ones. There is no way to stop us because SSL VPN must be exposed to the internet.Īt the beginning of our research, we made a little survey on the CVE amount of leading SSL VPN vendors:
Therefore, once we find a critical vulnerability on the leading SSL VPN, the impact is huge. According to our survey on Fortune 500, the Top-3 SSL VPN vendors dominate about 75% market share. However, what if this trusted equipment is insecure? It is an important corporate asset but a blind spot of corporation. For its convenience, SSL VPN becomes the most popular remote access way for enterprise! Compare to the site-to-site VPN such as the IPSEC and PPTP, SSL VPN is more easy to use and compatible with any network environments. The story began in last August, when we started a new research project on SSL VPN. We will also give a speech at the following conferences, just come and find us!