Open Wh1terat opened 7 months ago
It's nice to see you've looked into that too. As far as I know, the system uses the FTNT_TRUSTED(fortinet-subca2001) to verify those certificates.
I didn't bother to find the private key(not sure if the private key still exists) because we would need to modify the init binary to bypass integrity verification anyway.
But if we can get the private key, we might be able to build the appropriate firmware without having to modify the init binary.
I might look into it in my spare time, I'd appreciate it if you could share your research.
I looked into this and also the reversible password format - unfortunately neither I could publish at the time and someone else got the glory for the 2nd CVE.
Unfortunately this ca is not issued by fortinet-subca2001, it could well just be a standalone CA not included in any other chains.
If interested in either let me know and I'll find a method to communicate the priv keys with you. I suspect much of my research is vastly out of date now.
FortiGate CA.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1594129161 (0x5f047b09)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
Validity
Not Before: Jan 13 18:47:57 2016 GMT
Not After : Jan 13 18:47:57 2026 GMT
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b8:e1:28:a2:93:fa:35:1a:cd:43:16:50:33:72:
8a:59:89:e9:6b:26:68:3a:25:5d:69:87:fe:5e:c5:
33:03:1c:19:2f:dd:09:0f:78:0b:d2:0a:b8:31:1a:
5e:d0:95:d9:f4:11:75:47:bf:15:0a:a7:62:ef:82:
6c:6c:fa:f8:ee:a9:db:08:59:97:47:16:00:38:95:
ea:c8:7a:32:32:97:24:06:a2:f2:12:18:ec:2a:89:
dc:3f:7a:91:0b:f1:c4:c0:dc:44:e9:f1:7b:d6:41:
17:77:6f:5a:a0:13:0a:dc:dc:43:69:55:7d:d1:e7:
3c:28:52:9c:64:2c:bc:b1:28:49:ff:b0:36:f3:cc:
60:9e:04:94:7a:bf:bc:3c:7e:ed:b5:b3:6c:c7:e5:
f0:04:7c:2c:51:8e:ea:5c:00:db:8e:71:e4:d6:f9:
24:86:85:51:77:69:82:bb:de:c7:e0:7e:fe:56:fb:
ac:42:54:58:64:27:dd:24:24:33:ca:43:5b:79:21:
18:88:ac:c3:f3:78:5a:d5:a5:20:ee:1b:c4:fb:10:
34:cd:92:1c:51:86:74:5b:13:f3:ee:8e:f0:6e:6f:
07:83:5e:f4:78:b9:87:07:ab:60:b7:bc:bb:4e:27:
42:98:44:e8:ca:11:fa:b0:8e:0b:96:4b:f5:7c:aa:
ab:19
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
50:ab:bd:51:77:ad:b7:e7:35:a5:86:e1:9c:10:92:ef:43:f0:
78:60:1d:17:ba:2e:2f:c4:44:8d:03:59:ff:1f:d5:46:ea:01:
64:69:a1:e6:60:ad:58:17:c0:e6:6c:26:3e:44:07:12:4c:50:
d7:b8:44:ff:76:0e:55:1b:38:c4:1a:ff:d2:f0:c7:29:1c:d2:
9c:b0:d4:11:f4:c6:64:5e:e4:fe:66:59:72:4c:64:b5:fc:40:
25:1f:e0:eb:13:ed:d0:83:c0:9d:84:03:03:b2:be:3e:07:82:
ba:5d:69:fd:e6:d3:eb:e9:c6:69:06:11:91:67:c3:66:fb:e2:
b2:c5:9b:ab:7a:23:1d:4b:ca:7a:4b:fd:6d:bd:b6:07:a9:92:
b8:8e:7f:c9:3b:12:b1:a8:11:53:91:fc:b0:b7:95:d3:d2:b0:
e1:b5:a0:60:07:3d:44:98:58:5e:1c:5b:a9:eb:83:28:40:f3:
5b:e3:8c:af:63:81:af:8c:86:a2:85:1c:93:fd:96:7c:a6:0b:
e5:cb:95:40:db:01:51:66:9f:a8:f3:7e:85:31:ad:55:45:1c:
a0:74:82:a3:4a:9f:5f:4d:0e:2e:6c:11:93:33:21:06:4c:7d:
a8:ae:c0:06:a4:56:82:eb:92:a3:8a:b4:7b:00:fd:24:0a:dd:
b0:e4:f8:01
Also the "Fortigate" non CA, support issued cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 40906 (0x9fca)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com
Validity
Not Before: Feb 21 21:13:18 2011 GMT
Not After : Jan 19 03:14:07 2038 GMT
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FortiGate, emailAddress = support@fortinet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (512 bit)
Modulus:
00:cf:b8:21:07:4c:9a:df:d7:95:1f:8e:da:b0:22:
9d:29:5b:b7:14:b1:18:ec:a5:f6:87:99:5a:fd:5d:
c0:f2:dd:ed:b0:7e:1c:0c:a3:00:f6:84:6d:3d:9b:
95:8f:5a:d5:ae:67:d0:61:0d:33:54:47:ef:6b:49:
15:7d:41:d2:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha1WithRSAEncryption
42:db:69:fd:8a:d7:cc:c4:3e:ca:f1:32:e2:be:04:36:a0:be:
9e:21:93:f1:26:27:3a:fe:3c:42:d5:44:73:c1:15:14:0b:51:
f3:1c:6c:04:c0:dd:40:b2:40:ca:2a:30:34:85:aa:69:7f:e7:
de:ef:1f:99:8b:03:e3:60:c0:e4:54:e0:f9:39:55:2c:cf:f8:
57:95:35:0c:3a:8c:62:4d:3f:20:50:ec:b6:da:5d:a7:e7:d6:
92:50:ab:3b:b1:c1:d0:5f:0b:43:10:25:e9:73:21:dc:f3:9f:
81:ec:91:4d:c7:38:b6:9f:b7:45:de:04:2d:e0:d5:39:eb:ca:
46:27:83:b6:93:8f:64:ef:17:78:72:1d:7b:f7:bd:59:9f:0f:
1f:b1:fc:74:41:d1:aa:4d:8a:3c:69:85:21:17:43:36:49:b2:
b4:2c:7e:29:ba:03:06:26:03:fa:0c:e4:ed:e9:fc:ae:3c:71:
2b:e9:9e:59:ee:6b:10:0c:ef:3e:6c:d7:c4:fc:b3:32:c2:61:
46:97:c0:55:d6:02:b6:8e:57:db:72:55:30:46:67:5b:9b:7d:
ae:8f:37:59:0b:4e:eb:4b:d8:41:78:d6:f0:67:8b:44:fc:72:
7f:07:1d:1c:e9:86:22:47:09:ad:4f:5e:ce:fa:4a:68:2c:b2:
fe:67:cb:a2
I worked on similar back in 5.6.x and just wanted to comment that I really enjoyed to read your write up.
Amazing to see some 5+ years later they still use the same RSA-155 pub key for aes key derivation. 🤣
For the newer versions with embedded certificates, what certificate chain validates these?
I ask because Fortinet used to include a fixed sub CA in old versions used for content inspection (they moved to "first boot" generation later for obvious reasons) for which it was possible to extract the private key.