Exploit for Out-of-bounds Write in Fortinet Fortiproxy CVE-2024-21762

Name: Exploit for Out-of-bounds Write in Fortinet Fortiproxy CVE-2024-21762
Rating: 5 (12 reviews)
2026-06-24 | CVSS 9.8
## https://sploitus.com/exploit?id=9FE7E8BC-4FDD-5C40-A866-41D14FB4E0CD
# CVE-2024-21762 - FortiOS SSL VPN Out-of-Bounds Write

## Overview

| Field | Value |
|-------|-------|
| **CVE** | CVE-2024-21762 |
| **Advisory** | FG-IR-24-015 |
| **CVSS** | 9.8 (Critical) |
| **CWE** | CWE-787 (Out-of-bounds Write) |
| **CISA KEV** | Yes - actively exploited in the wild |
| **Attack Vector** | Network (unauthenticated) |
| **Affected Component** | sslvpnd (SSL VPN daemon) |

## Description

An out-of-bounds write vulnerability in FortiOS SSL VPN allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests. The vulnerability exists in the HTTP chunked transfer encoding parser within `sslvpnd`. When the daemon receives a POST request with `Transfer-Encoding: chunked`, it fails to properly validate chunk sizes, causing an out-of-bounds write in the heap.

## Affected Versions

| Branch | Affected | Fixed |
|--------|----------|-------|
| FortiOS 7.4 | 7.4.0 - 7.4.2 | 7.4.3 |
| FortiOS 7.2 | 7.2.0 - 7.2.6 | 7.2.7 |
| FortiOS 7.0 | 7.0.0 - 7.0.13 | 7.0.14 |
| FortiOS 6.4 | 6.4.0 - 6.4.14 | 6.4.15 |
| FortiOS 6.2 | 6.2.0 - 6.2.15 | 6.2.16 |
| FortiOS 6.0 | All versions | Migrate |

## Safe Check Methodology

The script compares the server response to a normal POST request vs a POST request with `Transfer-Encoding: chunked` to the same valid endpoint (`/remote/logincheck`).

- **Normal POST** with `Content-Length`: Server processes the request and returns an HTTP response (200 OK).
- **Chunked POST** with `Transfer-Encoding: chunked`: On vulnerable versions, `sslvpnd` cannot handle chunked encoding and closes the connection without responding (0 bytes).

This differential behavior confirms the vulnerability without triggering the actual out-of-bounds write.

```
Normal POST  --> HTTP/1.1 200 OK (N bytes)
Chunked POST --> Connection closed (0 bytes)    HTTP/1.1 200 OK (N bytes)
Chunked POST --> HTTP/1.1 200 OK (N bytes)      
```

### Example

```
$ python cve_2024_21762_safecheck.py 10.0.0.1 8443

[*] Target: 10.0.0.1:8443
[*] CVE-2024-21762 - Out-of-Bounds Write in sslvpnd (CVSS 9.8)
[*] Method: Compare normal POST vs chunked POST response

[*] Test 1: Normal POST to /remote/logincheck
    Response: HTTP/1.1 200 OK
    Size: 722 bytes

[*] Test 2: Chunked POST to /remote/logincheck
    Response: empty (connection closed by server)

============================================================
[!] VULNERABLE to CVE-2024-21762
    Normal POST works but chunked TE causes connection
    drop -> sslvpnd cannot handle chunked TE
    Severity: CRITICAL (CVSS 9.8)
    CISA KEV: Yes (actively exploited in the wild)
============================================================
```

## Possible Results

| Result | Meaning |
|--------|---------|
| `VULNERABLE` | Normal POST responds, chunked POST drops connection |
| `PATCHED` | Both requests receive HTTP response |
| `INCONCLUSIVE` | Neither request got a response (rate limiting active, retry later) |

## Notes

- This check does **not** exploit the vulnerability. It only detects the differential behavior in the HTTP parser.
- The target may activate rate limiting after multiple POST requests to `/remote/logincheck`. If you get `INCONCLUSIVE`, wait a few minutes and retry.
- Some third-party scripts (e.g. BishopFox check) use `/remote/VULNCHECK` as endpoint. That path may not return the expected 403 on all FortiGate versions, leading to unreliable results. This script uses `/remote/logincheck` which is a known valid SSL VPN endpoint.

## References

- [Fortinet Advisory FG-IR-24-015](https://www.fortiguard.com/psirt/FG-IR-24-015)
- [CISA KEV Entry](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [NVD - CVE-2024-21762](https://nvd.nist.gov/vuln/detail/CVE-2024-21762)