转：fortios 5.4后门植入

提示：

1.经过实验，fortios 5.4 beta4也是可以的。

2.在实验时，选择先下载fortios 5.2(做了快照),再升级5.4，则虚拟机挂载需要选择FortiGate-VM-disk1-000001.vmdk

3.将fortios虚拟机重新打开时，会遇到硬盘id不匹配的问题，只需要修改相应的vmdk文件。

   参考：http://www.running-system.com/cannot-open-the-disk-reason-the-parent-virtual-disk-has-been-modified-since-the-child-was-created/

转：https://pulpphikshun.wordpress.com/2015/08/31/backdooring-a-fortios-vm

Backdooring a FortiOS VM

Lately I’ve been playing with FortiOS 5.4 Beta 3 VM.  In previous versions of FortiOS, you could use the hidden fnsysctl command to run linux CLI commands (only a subset, unfortunately).  For example, if you download the FortiOS 5.2 x86 VM, you can run the command “fnsysctl cat /proc/version”, which will display the Linux kernel version it uses.

For those of you that didn’t know, FortiOS is Linux. They are the same.  And FortiOS, up to and including version 5.2, is Linux 2.4. This means that FortiOS does not have ASLR, DEP, stack cookies, or any modern Linux exploit countermeasures.  And everything is written in C, and all processes run as root.

Personally, I find this bizarre. The company I work for has FortiGate firewalls, and it’s a little weird to think that the only Linux box we have running kernel 2.4 is the box we’re using to protect all the other Linux boxes.  Anyway, I digress.

Back to FortiOS 5.4. It seems that Fortinet is tired of porting third-party vendor SDK driver code back to Linux 2.4, so they decided to upgrade the kernel to 3.2. ASLR is even enabled. Not sure about DEP, but I know stack cookies aren’t enabled. But it also appe