XORtigate: zero-effort, zero-expense, 0-day on Fortinet SSL VPN

While performing a red team assessment, due to limited scope, we were forced to look for 0-day vulnerabilities on a Fortinet appliance. This talk describes how we found and exploited CVE-2023-27997, a pre-authentication remote code execution vulnerability affecting the VPN interface of Fortigate, affecting hundred of thousands of servers on the internet, and used it to completely compromise the company' intranet. It will cover the vulnerability research process from start to finish, starting from how to get a shell on a local appliance, our research logic, the bug and the exploit, and finally how to persist on the target despite reboots.