MinhPham123456789/PoC-CVE-2024-23113
GitHub: MinhPham123456789/PoC-CVE-2024-23113
Stars: 0 | Forks: 0
# Disclaimer
The code and materials contained in this repository are provided strictly for **educational, research, and authorized security testing purposes**.
## Prohibited Use
+ Do not use this tool/code against any infrastructure, systems, or networks without explicit, prior written permission from the owner.
+ Utilizing this material for unauthorized scanning, exploitation, or malicious activities is entirely illegal and strictly prohibited.
## Limitation of Liability
+ This software is provided "as is," without warranty of any kind, express or implied.
+ The author/contributors shall not be held liable for any misuse, damage, data loss, or legal consequences resulting from the use or modifications of this code.
+ By downloading or using any part of this repository, you agree to assume all responsibility for your actions.
# PoC CVE 2024 23113
This is a Python script for detecting CVE 2024 23113. This vulnerability is a format string vulnerability in the FortiGate FGFM service (FortiGate to FortiManager protocol) commonly running on TCP port 541.
The FortiGate FGFM service is a communication link between a FortiGate firewall and a FortiManager central tool. It is a dedicated channel for remotely managing, updating, and configuring your firewalls from one dashboard.
An attacker can control a format string via a crafted request, which could lead to Remote Code Execution (RCE), Denial of Service (DoS) or other harmful impacts.
# Acknowledge
This script was inspired by the WatchTowr's article about the CVE 2024 23113.
https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/ # How to Use 1. Replace the value of the `hostname` variable to your target's IP address 2. Run the script. 3. Analyse the result. The below analysis guideline is combined with the signed cert requirement, check the next section for more details. + If the connection was aborted and the error message is not similar to `ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:997)`, then the target is vulnerable. + If the error message is similar to `ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:997)` and the service does not have `certificate_authorities` extension status, then the target is vulnerable. + Else, the target is not vulnerable.
Note: But you also have to watch out for "Requires cert signed by configured CA" setting. # Identify of Signed Cert Requirement for Better Detection This was covered very well in the "We Observe, We Compare" section in the WatchTowr's article. It is highly recommended that you visit the article and read it. It is technical but understandable. The key point for this detection is the `certificate_authorities` extension status in the details of the TLS negotiation. Combining the technique for signed cert requirement detection and my script, you will have 100% accurate detection technique for this vulenrability.
https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/ # How to Use 1. Replace the value of the `hostname` variable to your target's IP address 2. Run the script. 3. Analyse the result. The below analysis guideline is combined with the signed cert requirement, check the next section for more details. + If the connection was aborted and the error message is not similar to `ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:997)`, then the target is vulnerable. + If the error message is similar to `ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:997)` and the service does not have `certificate_authorities` extension status, then the target is vulnerable. + Else, the target is not vulnerable.
Note: But you also have to watch out for "Requires cert signed by configured CA" setting. # Identify of Signed Cert Requirement for Better Detection This was covered very well in the "We Observe, We Compare" section in the WatchTowr's article. It is highly recommended that you visit the article and read it. It is technical but understandable. The key point for this detection is the `certificate_authorities` extension status in the details of the TLS negotiation. Combining the technique for signed cert requirement detection and my script, you will have 100% accurate detection technique for this vulenrability.