dissect.target 3.15.dev34__py3-none-any.whl → 3.15.dev38__py3-none-any.whl

dissect/target/plugins/os/unix/linux/fortios/_os.py

@@ -1,12 +1,13 @@
 from __future__ import annotations
 
 import gzip
+import hashlib
 from base64 import b64decode
 from datetime import datetime
+from io import BytesIO
 from tarfile import ReadError
-from typing import Iterator, Optional, TextIO, Union
+from typing import BinaryIO, Iterator, Optional, TextIO, Union
 
-from Crypto.Cipher import AES
 from dissect.util import cpio
 from dissect.util.compression import xz
 
@@ -18,6 +19,13 @@ from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix.linux._os import LinuxPlugin
 from dissect.target.target import Target
 
+try:
+    from Crypto.Cipher import AES, ChaCha20
+
+    HAS_PYCRYPTODOME = True
+except ImportError:
+    HAS_PYCRYPTODOME = False
+
 FortiOSUserRecord = TargetRecordDescriptor(
     "fortios/user",
     [
@@ -39,7 +47,7 @@ class FortiOSPlugin(LinuxPlugin):
 
     def _load_config(self) -> dict:
         CONFIG_FILES = {
-            "/data/system.conf": None,
+            "/data/system.conf": "global-config",  # FortiManager
             "/data/config/daemon.conf.gz": "daemon",  # FortiOS 4.x
             "/data/config/sys_global.conf.gz": "global-config",  # Seen in FortiOS 5.x - 7.x
             "/data/config/sys_vd_root.conf.gz": "root-config",  # FortiOS 4.x
@@ -55,7 +63,7 @@ class FortiOSPlugin(LinuxPlugin):
                 else:
                     fh = conf_path.open("rt")
 
-                if not self._version and section in [None, "global-config", "root-config"]:
+                if not self._version and section in ["global-config", "root-config"]:
                     self._version = fh.readline().split("=", 1)[1]
 
                 parsed = FortiOSConfig.from_fh(fh)
@@ -72,20 +80,31 @@ class FortiOSPlugin(LinuxPlugin):
 
     @classmethod
     def create(cls, target: Target, sysvol: Filesystem) -> FortiOSPlugin:
+        target.log.warning("Attempting to load rootfs.gz, this can take a while.")
         rootfs = sysvol.path("/rootfs.gz")
+        vfs = None
 
         try:
-            target.log.warning("Attempting to load compressed rootfs.gz, this can take a while.")
-            rfs_fh = open_decompress(rootfs)
-            if rfs_fh.read(4) == b"07" * 2:
+            if open_decompress(rootfs).read(4) == b"0707":
                 vfs = TarFilesystem(rootfs.open(), tarinfo=cpio.CpioInfo)
             else:
                 vfs = TarFilesystem(rootfs.open())
+        except ReadError:
+            # The rootfs.gz file could be encrypted.
+            try:
+                rfs_fh = decrypt_rootfs(rootfs.open(), get_kernel_hash(sysvol))
+                vfs = TarFilesystem(rfs_fh, tarinfo=cpio.CpioInfo)
+            except RuntimeError:
+                target.log.warning("Could not decrypt rootfs.gz. Missing `pycryptodome` dependency.")
+            except ValueError as e:
+                target.log.warning("Could not decrypt rootfs.gz. Unsupported kernel version.")
+                target.log.debug("", exc_info=e)
+            except ReadError as e:
+                target.log.warning("Could not mount rootfs.gz. It could be corrupt.")
+                target.log.debug("", exc_info=e)
+
+        if vfs:
             target.fs.mount("/", vfs)
-        except ReadError as e:
-            # Since FortiOS version ~7.4.1 the rootfs.gz file is encrypted.
-            target.log.warning("Could not mount FortiOS `/rootfs.gz`. It could be encrypted or corrupt.")
-            target.log.debug("", exc_info=e)
 
         target.fs.mount("/data", sysvol)
 
@@ -93,13 +112,21 @@ class FortiOSPlugin(LinuxPlugin):
         if (datafs_tar := sysvol.path("/datafs.tar.gz")).exists():
             target.fs.add_layer().mount("/data", TarFilesystem(datafs_tar.open("rb")))
 
-        # Additional FortiGate tars with corrupt XZ streams
-        for path in ("bin.tar.xz", "usr.tar.xz", "migadmin.tar.xz", "node-scripts.tar.xz"):
-            if (tar := target.fs.path(path)).exists():
+        # Additional FortiGate or FortiManager tars with corrupt XZ streams
+        target.log.warning("Attempting to load XZ files, this can take a while.")
+        for path in (
+            "bin.tar.xz",
+            "usr.tar.xz",
+            "migadmin.tar.xz",
+            "node-scripts.tar.xz",
+            "docker.tar.xz",
+            "syntax.tar.xz",
+        ):
+            if (tar := target.fs.path(path)).exists() or (tar := sysvol.path(path)).exists():
                 fh = xz.repair_checksum(tar.open("rb"))
                 target.fs.add_layer().mount("/", TarFilesystem(fh))
 
-        # FortiAnalyzer
+        # FortiAnalyzer and FortiManager
         if (rootfs_ext_tar := sysvol.path("rootfs-ext.tar.xz")).exists():
             target.fs.add_layer().mount("/", TarFilesystem(rootfs_ext_tar.open("rb")))
 
@@ -117,9 +144,18 @@ class FortiOSPlugin(LinuxPlugin):
                 target.fs.mount("/boot", fs)
 
             # data2 partition
-            if fs.__type__ == "ext" and fs.path("/new_alert_msg").exists() and fs.path("/template").exists():
+            if fs.__type__ == "ext" and (
+                (fs.path("/new_alert_msg").exists() and fs.path("/template").exists())  # FortiGate
+                or (fs.path("/swapfile").exists() and fs.path("/old_fmversion").exists())  # FortiManager
+            ):
                 target.fs.mount("/data2", fs)
 
+        # Symlink unix-like paths
+        unix_paths = [("/data/passwd", "/etc/passwd")]
+        for src, dst in unix_paths:
+            if target.fs.path(src).exists() and not target.fs.path(dst).exists():
+                target.fs.symlink(src, dst)
+
         return cls(target)
 
     @export(property=True)
@@ -158,8 +194,11 @@ class FortiOSPlugin(LinuxPlugin):
     def dns(self) -> list[str]:
         """Return configured WAN DNS servers."""
         entries = []
-        for _, entry in self._config["global-config"]["system"]["dns"].items():
-            entries.append(entry[0])
+        try:
+            for entry in self._config["global-config"]["system"]["dns"].values():
+                entries.append(entry[0])
+        except KeyError:
+            pass
         return entries
 
     @export(property=True)
@@ -176,7 +215,7 @@ class FortiOSPlugin(LinuxPlugin):
         # Possible unix-like users
         yield from super().users()
 
-        # Administrative users
+        # FortiGate administrative users
         try:
             for username, entry in self._config["global-config"]["system"]["admin"].items():
                 yield FortiOSUserRecord(
@@ -190,13 +229,27 @@ class FortiOSPlugin(LinuxPlugin):
             self.target.log.warning("Exception while parsing FortiOS admin users")
             self.target.log.debug("", exc_info=e)
 
+        # FortiManager administrative users
+        try:
+            for username, entry in self._config["global-config"]["system"]["admin"]["user"].items():
+                yield FortiOSUserRecord(
+                    name=username,
+                    password=":".join(entry.get("password", [])),
+                    groups=[entry["profileid"][0]],
+                    home="/root",
+                    _target=self.target,
+                )
+        except KeyError as e:
+            self.target.log.warning("Exception while parsing FortiManager admin users")
+            self.target.log.debug("", exc_info=e)
+
         # Local users
         try:
             local_groups = local_groups_to_users(self._config["root-config"]["user"]["group"])
             for username, entry in self._config["root-config"]["user"].get("local", {}).items():
                 try:
                     password = decrypt_password(entry["passwd"][-1])
-                except ValueError:
+                except (ValueError, RuntimeError):
                     password = ":".join(entry.get("passwd", []))
 
                 yield FortiOSUserRecord(
@@ -215,7 +268,7 @@ class FortiOSPlugin(LinuxPlugin):
             for _, entry in self._config["root-config"]["user"]["group"].get("guestgroup", {}).get("guest", {}).items():
                 try:
                     password = decrypt_password(entry.get("password")[-1])
-                except ValueError:
+                except (ValueError, RuntimeError):
                     password = ":".join(entry.get("password"))
 
                 yield FortiOSUserRecord(
@@ -236,7 +289,10 @@ class FortiOSPlugin(LinuxPlugin):
     @export(property=True)
     def architecture(self) -> Optional[str]:
         """Return architecture FortiOS runs on."""
-        return self._get_architecture(path="/lib/libav.so")
+        paths = ["/lib/libav.so", "/bin/ctr"]
+        for path in paths:
+            if self.target.fs.path(path).exists():
+                return self._get_architecture(path=path)
 
 
 class ConfigNode(dict):
@@ -344,7 +400,7 @@ def parse_version(input: str) -> str:
     }
 
     try:
-        version_str = input.split(":", 1)[0]
+        version_str = input.split(":", 1)[0].strip()
         type, version, _, build_num, build_date = version_str.rsplit("-", 4)
 
         build_num = build_num.replace("build", "build ", 1)
@@ -368,15 +424,111 @@ def local_groups_to_users(config_groups: dict) -> dict:
     return user_groups
 
 
-def decrypt_password(ciphertext: str) -> str:
-    """Decrypt FortiOS version 6 and 7 encrypted secrets."""
+def decrypt_password(input: str) -> str:
+    """Decrypt FortiOS encrypted secrets.
+
+    Works for FortiGate 5.x, 6.x and 7.x (CVE-2019-6693).
+
+    NOTE:
+        - FortiManager uses a 16-byte IV and is not supported (CVE-2020-9289).
+        - FortiGate 4.x uses DES and a static 8-byte key and is not supported.
+
+    Returns decoded plaintext or original input ciphertext when decryption failed.
+
+    Resources:
+        - https://www.fortiguard.com/psirt/FG-IR-19-007
+    """
+
+    if not HAS_PYCRYPTODOME:
+        raise RuntimeError("PyCryptodome module not available")
 
-    if ciphertext[:3] in ["SH2", "AK1"]:
+    if input[:3] in ["SH2", "AK1"]:
         raise ValueError("Password is a hash (SHA-256 or SHA-1) and cannot be decrypted.")
 
-    ciphertext = b64decode(ciphertext)
+    ciphertext = b64decode(input)
     iv = ciphertext[:4] + b"\x00" * 12
     key = b"Mary had a littl"
     cipher = AES.new(key, iv=iv, mode=AES.MODE_CBC)
     plaintext = cipher.decrypt(ciphertext[4:])
-    return plaintext.split(b"\x00", 1)[0].decode()
+
+    try:
+        return plaintext.split(b"\x00", 1)[0].decode()
+    except UnicodeDecodeError:
+        return "ENC:" + input
+
+
+def decrypt_rootfs(fh: BinaryIO, kernel_hash: str) -> BinaryIO:
+    """Attempt to decrypt an encrypted ``rootfs.gz`` file.
+
+    FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted ``rootfs.gz`` files.
+    This function attempts to decrypt a ``rootfs.gz`` file using a static key and IV
+    which can be found in the kernel.
+
+    Currently supported versions (each release has a new key):
+        - FortiGate VM 7.0.13
+        - FortiGate VM 7.4.1
+        - FortiGate VM 7.4.2
+
+    Resources:
+        - https://docs.fortinet.com/document/fortimanager/7.4.2/release-notes/519207/special-notices
+        - Reversing kernel (fgt_verifier_iv, fgt_verifier_decrypt, fgt_verifier_initrd)
+    """
+
+    if not HAS_PYCRYPTODOME:
+        raise RuntimeError("PyCryptodome module not available")
+
+    # SHA256 hashes of kernel files
+    KERNEL_KEY_MAP = {
+        # FortiGate VM 7.0.13
+        "25cb2c8a419cde1f42d38fc6cbc95cf8b53db41096d0648015674d8220eba6bf": (
+            bytes.fromhex("c87e13e1f7d21c1aca81dc13329c3a948d6e420d3a859f3958bd098747873d08"),
+            bytes.fromhex("87486a24637e9a66f09ec182eee25594"),
+        ),
+        # FortiGate VM 7.4.1
+        "a008b47327293e48502a121ee8709f243ad5da4e63d6f663c253db27bd01ea28": _kdf_7_4_x(
+            "366486c0f2c6322ec23e4f33a98caa1b19d41c74bb4f25f6e8e2087b0655b30f"
+        ),
+        # FortiGate VM 7.4.2
+        "c392cf83ab484e0b2419b2711b02cdc88a73db35634c10340037243394a586eb": _kdf_7_4_x(
+            "480767be539de28ee773497fa731dd6368adc9946df61da8e1253fa402ba0302"
+        ),
+    }
+
+    if not (key_data := KERNEL_KEY_MAP.get(kernel_hash)):
+        raise ValueError("Failed to decrypt: Unknown kernel hash.")
+
+    key, iv = key_data
+    # First 8 bytes = counter, last 8 bytes = nonce
+    # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple
+    # We're interested in updating the position in the ChaCha20 internal state, so to make
+    # PyCryptodome "OpenSSL-compatible" we have to multiply the counter by 64
+    cipher = ChaCha20.new(key=key, nonce=iv[8:])
+    cipher.seek(int.from_bytes(iv[:8], "little") * 64)
+    result = cipher.decrypt(fh.read())
+
+    if result[0:2] != b"\x1f\x8b":
+        raise ValueError("Failed to decrypt: No gzip magic header found.")
+
+    return BytesIO(result)
+
+
+def _kdf_7_4_x(key_data: Union[str, bytes]) -> tuple[bytes, bytes]:
+    """Derive 32 byte key and 16 byte IV from 32 byte seed.
+
+    As the IV needs to be 16 bytes, we return the first 16 bytes of the sha256 hash.
+    """
+
+    if isinstance(key_data, str):
+        key_data = bytes.fromhex(key_data)
+
+    key = hashlib.sha256(key_data[4:32] + key_data[:4]).digest()
+    iv = hashlib.sha256(key_data[5:32] + key_data[:5]).digest()[:16]
+    return key, iv
+
+
+def get_kernel_hash(sysvol: Filesystem) -> Optional[str]:
+    """Return the SHA256 hash of the (compressed) kernel."""
+    kernel_files = ["flatkc", "vmlinuz", "vmlinux"]
+    for k in kernel_files:
+        if sysvol.path(k).exists():
+            return sysvol.sha256(k)

dissect/target/plugins/os/unix/linux/fortios/generic.py

@@ -16,13 +16,15 @@ class GenericPlugin(Plugin):
     @export(property=True)
     def install_date(self) -> Optional[datetime]:
         """Return the likely install date of FortiOS."""
-        if (init_log := self.target.fs.path("/data/etc/cloudinit.log")).exists():
-            return ts.from_unix(init_log.stat().st_mtime)
+        files = ["/data/etc/cloudinit.log", "/data/.vm_provisioned", "/data/etc/ssh/ssh_host_dsa_key"]
+        for file in files:
+            if (fp := self.target.fs.path(file)).exists():
+                return ts.from_unix(fp.stat().st_mtime)
 
     @export(property=True)
     def activity(self) -> Optional[datetime]:
         """Return last seen activity based on filesystem timestamps."""
-        log_dirs = ["/var/log/log/root", "/var/log/root"]
+        log_dirs = ["/var/log/log/root", "/var/log/root", "/data"]
         for log_dir in log_dirs:
             if (var_log := self.target.fs.path(log_dir)).exists():
                 return calculate_last_activity(var_log)

dissect/target/plugins/os/unix/linux/fortios/locale.py

@@ -1,3 +1,5 @@
+from typing import Optional
+
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.plugin import Plugin, export
 
@@ -8,13 +10,16 @@ class LocalePlugin(Plugin):
             raise UnsupportedPluginError("FortiOS specific plugin loaded on non-FortiOS target")
 
     @export(property=True)
-    def timezone(self) -> str:
+    def timezone(self) -> Optional[str]:
         """Return configured UI/system timezone."""
-        timezone_num = self.target._os._config["global-config"]["system"]["global"]["timezone"][0]
-        return translate_timezone(timezone_num)
+        try:
+            timezone_num = self.target._os._config["global-config"]["system"]["global"]["timezone"][0]
+            return translate_timezone(timezone_num)
+        except KeyError:
+            pass
 
     @export(property=True)
-    def language(self) -> str:
+    def language(self) -> Optional[str]:
         """Return configured UI language."""
         LANG_MAP = {
             "english": "en_US",
@@ -26,8 +31,11 @@ class LocalePlugin(Plugin):
             "simch": "zh_CN",
             "korean": "ko_KR",
         }
-        lang_str = self.target._os._config["global-config"]["system"]["global"].get("language", ["english"])[0]
-        return LANG_MAP.get(lang_str, lang_str)
+        try:
+            lang_str = self.target._os._config["global-config"]["system"]["global"].get("language", ["english"])[0]
+            return LANG_MAP.get(lang_str, lang_str)
+        except KeyError:
+            pass
 
 
 def translate_timezone(timezone_num: str) -> str:

{dissect.target-3.15.dev34.dist-info → dissect.target-3.15.dev38.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.15.dev34
+Version: 3.15.dev38
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.15.dev34.dist-info → dissect.target-3.15.dev38.dist-info}/RECORD

@@ -218,9 +218,9 @@ dissect/target/plugins/os/unix/linux/debian/dpkg.py,sha256=DPBLQiHAF7ZS8IorRsGAi
 dissect/target/plugins/os/unix/linux/debian/vyos/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/linux/debian/vyos/_os.py,sha256=q8qG2FLJhUbpjfwlNCmWAhFdTWMzSWUh7s7H8m4x7Fw,1741
 dissect/target/plugins/os/unix/linux/fortios/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/os/unix/linux/fortios/_os.py,sha256=U6LKdFxsRBYvx5I-tJLZTixBFhfQ8OZBt1J1S2eSY4M,13388
-dissect/target/plugins/os/unix/linux/fortios/generic.py,sha256=jWs1KEBV68h8TWhBw9gjjGoVbvb8NcMqx82lFqqqnPQ,1116
-dissect/target/plugins/os/unix/linux/fortios/locale.py,sha256=hd71u6-fdY8_GaWggjauFOIUrPuZWzpEuWcyC365ffo,5034
+dissect/target/plugins/os/unix/linux/fortios/_os.py,sha256=mYwmGAeY1GQdPdFbGxwNhlRuMD2hTuL1nlEAaXhao4o,19091
+dissect/target/plugins/os/unix/linux/fortios/generic.py,sha256=tT4-lE0Z_DeDIN3zHrQbE8JB3cRJop1_TiEst-Au0bs,1230
+dissect/target/plugins/os/unix/linux/fortios/locale.py,sha256=VDdk60sqe2JTfftssO05C667-_BpI3kcqKOTVzO3ueU,5209
 dissect/target/plugins/os/unix/linux/redhat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/linux/redhat/_os.py,sha256=l_SygO1WMBTvaLvAvhe08yPHLBpUZ9wizW28a9_JhJE,578
 dissect/target/plugins/os/unix/linux/redhat/yum.py,sha256=kEvB-C2CNoqxSbgGRZiuo6CMPBo_hMWy2KQIE4SNkdQ,2134
@@ -321,10 +321,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.15.dev34.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.15.dev34.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.15.dev34.dist-info/METADATA,sha256=Hs8t65rvQ451oa-ZQTM3oWM5-BL_zTRjRqOXi_LbMpc,11113
-dissect.target-3.15.dev34.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-dissect.target-3.15.dev34.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.15.dev34.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.15.dev34.dist-info/RECORD,,
+dissect.target-3.15.dev38.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.15.dev38.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.15.dev38.dist-info/METADATA,sha256=hXL7MrjO-icCXVn6ZBQgh0xFBZsV4sePxr5u-eeICUo,11113
+dissect.target-3.15.dev38.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+dissect.target-3.15.dev38.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.15.dev38.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.15.dev38.dist-info/RECORD,,