Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fortinet SSL VPN Out-of-bounds Write Vulnerability Check (CVE-2024-21762) #9347

Open
NitescuLucian opened this issue Mar 14, 2024 · 10 comments
Open

Fortinet SSL VPN Out-of-bounds Write Vulnerability Check (CVE-2024-21762) #9347

NitescuLucian opened this issue Mar 14, 2024 · 10 comments
Assignees
@princechaddha
Labels
nuclei-template Nuclei template contribution

Comments

@NitescuLucian
Copy link

Template Information:

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests.

- https://bit-sentinel.com/cve-2024-21762-nuclei-template-for-scanning-fortigate-firewalls/
- https://fortiguard.com/psirt/FG-IR-24-015
- https://nvd.nist.gov/vuln/detail/CVE-2024-21762
- https://github.com/BishopFox/cve-2024-21762-check

Nuclei Template:

id: cve-2024-21762-check
info:
  name: Fortinet SSL VPN Out-of-bounds Write Vulnerability Check (CVE-2024-21762)
  author: LucianNitescu
  severity: Critical
  description: |
    A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests.
  reference:
    - https://bit-sentinel.com/cve-2024-21762-nuclei-template-for-scanning-fortigate-firewalls/
    - https://fortiguard.com/psirt/FG-IR-24-015
    - https://nvd.nist.gov/vuln/detail/CVE-2024-21762
    - https://github.com/BishopFox/cve-2024-21762-check

  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-21762
    cwe-id: CWE-787
  metadata:
    verified: true
    max-request: 1
    vendor: fortinet
    product: fortinac
    shodan-query: title:"FortiNAC"
  tags: cve,cve2024,fortinet,vpn

flow: http(1) && code(1)

requests:
  - raw:
      - |+
        POST /remote/VULNCHECK HTTP/1.1
        Host: {{Hostname}}
        Transfer-Encoding: chunked

        0



    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - <script type='text/javascript' src='/remote/fgt_lang?lang=
        internal: true
      - type: status
        status:
          - 403
        internal: true


code:
  - engine:
      - py
      - python3
    source: |
      import socket, ssl, os
      context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
      context.check_hostname=False
      context.verify_mode=ssl.CERT_NONE

      # credits: https://github.com/BishopFox/cve-2024-21762-check

      TIMEOUT=5

      def send_req(host, req):
          try:
              s=socket.create_connection(host, timeout=5)
          except: return -1
          ss=context.wrap_socket(s)
          ss.send(req)
          try:
              return ss.read(2048)
          except socket.timeout:
              return 0

      check_req="""POST /remote/VULNCHECK HTTP/1.1\r
      Host: {}\r
      Transfer-Encoding: chunked\r
      \r
      0000000000000000FF\r
      \r
      """
      def check(host):
          baseurl="https://{}:{}".format(*host)
          r2=send_req(host, check_req.format(baseurl).encode())
          if r2==0: return "Vulnerable"
          else: return "Patched"

      if __name__=="__main__":
          try:
              host=os.getenv('Hostname').split(':')[0]
              port=int(os.getenv('Hostname').split(':')[1])
          except:
              print("fail...")
              exit()
          HOST=(host,port)
          print(check(HOST))

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Vulnerable"
# digest: 4a0a0047304502206cb27444814ca64ff154968dd36aec984699eb389050f90c8d010d9a2db81a7b0221009c4ca196b0ebc11dcbd86f45d4b08e6e0cfa1b4d72cbc3351155a6e468705cf4:4064d050bf4d41a5982c74d68fec3354

How to run it:

cat targets.txt | nuclei -t cve-2024-21762-check.yaml -code

image
@NitescuLucian NitescuLucian added the nuclei-template Nuclei template contribution label Mar 14, 2024
@GeorginaReeder
Copy link

Thanks so much for your contribution @NitescuLucian !

@sec13b
Copy link

sec13b commented Mar 18, 2024
edited

@NitescuLucian In your targets list , the vuln IP is with https or without https .

root@tc:~/.cache# cat test.txt | ./nuclei -t cve-2024-21762-check.yaml -code

[INF] Supplied input was automatically deduplicated (1301 removed).
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.7.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] Targets loaded for current scan: 25
[INF] No results found. Better luck next time!
[FTL] Could not run nuclei: no templates provided for scan
root@tc:~/.cache#

thank you

@NitescuLucian
Copy link
Author

@sec13b only with https as per Forti SSL VPN. I do not think there is an option to be http.

@johnk3r
Copy link
Contributor

johnk3r commented Mar 18, 2024

@NitescuLucian thanks for sharing. Is this template working in the latest version of Nuclei?

I also received the error '[FTL] Could not run nuclei: no templates provided for scan' in a HTTPS url.

@NitescuLucian
Copy link
Author

@johnk3r @sec13b have you signed your templates using -sign before using -code?

@NitescuLucian
Copy link
Author

Here is the documentation: https://docs.projectdiscovery.io/templates/reference/template-signing

Also use --debug for more info.

@sec13b
Copy link

sec13b commented Mar 19, 2024
edited

no i didnt -sign (solved)
default nuclei sign

digest:

490a0046304402206a39800bff0d9ca85a05e3686a0e246f8d5504a38e8501a1d7e8684ae6f2853002205ba7c74bb1f99cacf693e8a5a1cd429dcd7e52fab188beb8c95b934e4aabcd57:922c64590222798bb761d5b6d8e72950

i ask if in targets.txt the list have exampe :
https://{ip}:{port}
or just {ip}:{port}

cat targets.txt | httpx -random-agent -nf -rl 5000 -t 1000 -p 123 -stats -silent | nuclei -t ....
or the easy

./nuclei -l targets.txt -t template.yaml -code -o vuln.txt -stats
where targets.txt list is https://{ip}:{port}

@shorefall
Copy link

/nuclei -u x -t fortinet.yaml -code

                 __     _

____ __ / / ()
/ __ / / / / / / _ / /
/ / / / // / // / __/ /
// //_,/_/_/_/_/ v3.2.2

            projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[WRN] Skipping 1 unsigned template[s]
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.7.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] Targets loaded for current scan: 1
[INF] No results found. Better luck next time!
[FTL] Could not run nuclei: no templates provided for scan

No work why

@shorefall
Copy link

You have to remove the degist line then it will allow you to sign the template thanks guys.

@dancorain
Copy link

Whoever has MacOs, be careful!!! After running "brew install nuclei" on my mac os, a trojan "https://github.com/vonahisec/CVE-2022-47966-Scan" was detected by my antivirus.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@princechaddha princechaddha

Labels
nuclei-template Nuclei template contribution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@johnk3r @NitescuLucian @princechaddha @shorefall @dancorain @sec13b @GeorginaReeder