While conducting further analysis of the path traversal vulnerability within the FortiOS SSL VPN web portal, the team at 7 Elements created a script to enumerate vulnerable hosts and extract sensitive information such as user names and passwords.
The following video shows the tool in action with the ability to scan multiple hosts (the script used for the purpose of the video masks sensitive information):
Using the script it was possible to enumerate ~200k hosts globally, identifying around 20,000 vulnerable hosts and extract over 60,000 credentials (further blog post to follow).
Both the NSA and NCSC have recently posted advisories alerting on the use of this vulnerability by Nation State Advanced Persistent Threat (APT) actors to gain access to enterprise environments.
Over three weeks prior to the advisories, the team here at 7 Elements identified that what was then being reported as a medium level risk issue, was in fact a critical impact issue. More on that can be found here.
Today we have released a version of the script that is limited to a single IP/Host to enable testing against devices owned by the individual running the script. The tool can be downloaded here.