CVE-2024-23113
This scenario addresses CVE-2024-23113, a format string vulnerability in the FortiGate FGFM (FortiGate to FortiManager communication protocol) service running on TCP port 541. The vulnerability exists because an attacker can control the format string, which could lead to remote code execution (RCE) or other unexpected behavior. The FGFM service is used for configuration management communication between FortiGate and FortiManager devices, and unpatched versions have improper input handling, making them vulnerable to attacks using format string vulnerabilities.
This scenario addresses CVE-2024-23113, a format string vulnerability in the FortiGate FGFM (FortiGate to FortiManager communication protocol) service running on TCP port 541. The vulnerability exists because an attacker can control the format string, which could lead to remote code execution (RCE) or other unexpected behavior. The FGFM service is used for configuration management communication between FortiGate and FortiManager devices, and unpatched versions have improper input handling, making them vulnerable to attacks using format string vulnerabilities.
Quote:https://github.com/zgimszhd61/CVE-2024-23113
How the script works :
1. Setting up a network connection :
- The script first establishes an SSL/TLS connection to the target device on port 541.
- It uses the ssl.SSLContext object and disables certificate verification to be able to connect to devices that may use self-signed certificates.
2. Creating payload :
- Once a connection is established, the script creates a malicious payload using a format string vulnerability, such as authip=%n.
- The %n directive tells the system to write the number of bytes output so far to a variable, which can lead to memory corruption.
- This malicious payload is sent to the target device via an established connection.
3. Detection logic :
- The script then checks the behavior of the target device after receiving the malicious payload.
- If the connection suddenly drops and an SSL warning occurs, this indicates that the target is vulnerable because a protective mechanism (e.g. _FORTIFY_SOURCE in glibc) against a format string vulnerability was called.
- If the connection remains open, it may mean that the target device may have been patched.
4. Instructions for use:
- Run the script using Python 3 by running the following command:
Quote:python POC-CVE-2024-23113.py
- The system will ask you to enter the hostname or IP address of the device you want to check for vulnerability. Or type "exit" to exit.
- If the target device is vulnerable, the script will output:Внимание: <hostname> уязвим!
- If the target device appears to be fixed, the script will output:[+] <hostname> выглядит исправленным.
- System requirements:
- Python 3.9+ is required to run the script.
- The target device must be accessible over the network and port 541 must be open.
- The target device must have the FGFM service running.
HELPFUL LINKS