Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-23113 PoC — Fortinet FortiOS 格式化字符串错误漏洞

Source
https://github.com/MAVRICK-1/cve-2024-23113-test-env
Associated Vulnerability
Title:Fortinet FortiOS 格式化字符串错误漏洞 (CVE-2024-23113)
Description:A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.
Readme
# CVE-2024-23113 FortiOS Test Environment

A Docker-based test environment for validating CVE-2024-23113 Nuclei templates against simulated vulnerable FortiOS instances.

## 🔍 Overview

This environment simulates vulnerable FortiOS HTTP interfaces to test the detection capabilities of CVE-2024-23113 Nuclei templates. It provides realistic FortiOS responses including login pages, API endpoints, and proper version information.

## 🚀 Quick Start

### Prerequisites
- Docker
- Docker Compose
- Nuclei (for testing)

### Basic Setup

1. **Clone and build:**
```bash
git clone <this-repository>
cd cve-2024-23113-test-env
docker-compose up -d
```

2. **Verify the environment:**
```bash
curl http://localhost:8080/
```

3. **Test with Nuclei:**
```bash
# Test against vulnerable instance
nuclei -t CVE-2024-23113.yaml -u http://localhost:8080 -v

# Test with debug output
nuclei -t CVE-2024-23113.yaml -u http://localhost:8080 -debug
```

## 🎯 Available Environments

### Default Environment
- **Service**: `fortios-vulnerable`
- **Port**: `8080`
- **Version**: FortiOS v7.2.5 (vulnerable)
- **URL**: `http://localhost:8080`

### Additional Test Environments

```bash
# Start patched version for comparison
docker-compose --profile patched up -d

# Start multiple vulnerable versions
docker-compose --profile multiple up -d
```

#### Available Profiles:
- **Default**: FortiOS v7.2.5 (vulnerable) - Port 8080
- **Patched**: FortiOS v7.2.7 (patched) - Port 8081
- **Multiple**: 
  - FortiOS v7.4.1 (vulnerable) - Port 8082
  - FortiOS v7.0.10 (vulnerable) - Port 8083

## 🔧 Configuration

### Environment Variables

| Variable | Description | Default |
|----------|-------------|---------|
| `FORTIOS_VERSION` | FortiOS version to simulate | `7.2.5` |
| `PORT` | Container internal port | `8080` |

### Custom Version

```bash
# Run specific version
docker run -p 8080:8080 -e FORTIOS_VERSION=7.4.2 cve-2024-23113-test
```

## 📡 API Endpoints

The simulated FortiOS provides these endpoints:

| Endpoint | Description | Content-Type |
|----------|-------------|--------------|
| `/` | Main login page | `text/html` |
| `/login` | Login form | `text/html` |
| `/remote/login` | Remote access portal | `text/html` |
| `/api/v2/monitor/system/status` | System status API | `application/json` |
| `/api/v2/cmdb/system/global` | Global config API | `application/json` |

### Example API Response
```json
{
  "version": "v7.2.5",
  "hostname": "TEST-FORTIGATE",
  "serial": "FGTVM1234567890",
  "build": 1396,
  "model": "FortiGate-VM64"
}
```

## 🧪 Testing Scenarios

### Vulnerable Versions Detection
```bash
# Test vulnerable versions
nuclei -t CVE-2024-23113.yaml -u http://localhost:8080     # v7.2.5
nuclei -t CVE-2024-23113.yaml -u http://localhost:8082     # v7.4.1  
nuclei -t CVE-2024-23113.yaml -u http://localhost:8083     # v7.0.10
```

### Patched Version Validation
```bash
# Test patched version (should not detect)
nuclei -t CVE-2024-23113.yaml -u http://localhost:8081     # v7.2.7
```

### Batch Testing
```bash
# Test all instances
echo -e "http://localhost:8080\nhttp://localhost:8081\nhttp://localhost:8082\nhttp://localhost:8083" | nuclei -t CVE-2024-23113.yaml -l /dev/stdin
```

## 🔍 Manual Testing

### Check Service Response
```bash
# Basic connectivity
curl -v http://localhost:8080/

# API endpoint
curl -s http://localhost:8080/api/v2/monitor/system/status | jq .

# Check headers
curl -I http://localhost:8080/
```

### Expected Vulnerable Indicators
- **HTML**: Contains `FortiOS v7.2.5`
- **Server Header**: `FortiGate-HTTP/v7.2.5`
- **API Response**: `"version": "v7.2.5"`

## 🐛 Troubleshooting

### Common Issues

#### Port Already in Use
```bash
# Check what's using the port
netstat -tlnp | grep 8080

# Use different port
docker-compose up -d --scale fortios-vulnerable=0
docker run -p 8090:8080 cve-2024-23113-test
```

#### Container Won't Start
```bash
# Check logs
docker-compose logs fortios-vulnerable

# Rebuild image
docker-compose build --no-cache
```

#### Health Check Failing
```bash
# Check container health
docker ps
docker exec cve-2024-23113-vulnerable curl -f http://localhost:8080/
```

### Debugging

```bash
# View real-time logs
docker-compose logs -f

# Interactive shell
docker exec -it cve-2024-23113-vulnerable /bin/bash

# Test from inside container
docker exec cve-2024-23113-vulnerable curl localhost:8080
```

## 📋 Vulnerable Versions

This environment can simulate any of these vulnerable versions:

### FortiOS
- 7.4.0, 7.4.1, 7.4.2
- 7.2.0 through 7.2.6  
- 7.0.0 through 7.0.13

### FortiProxy  
- 7.4.0, 7.4.1, 7.4.2
- 7.2.0 through 7.2.8
- 7.0.0 through 7.0.14

### Example Usage
```bash
# Test different vulnerable versions
docker run -p 8080:8080 -e FORTIOS_VERSION=7.4.0 cve-2024-23113-test
docker run -p 8081:8080 -e FORTIOS_VERSION=7.0.13 cve-2024-23113-test
```

## 🏗️ Development

### Building from Source
```bash
# Build image
docker build -t cve-2024-23113-test .

# Run manually
docker run -p 8080:8080 cve-2024-23113-test
```

### Customizing Responses
Edit `server.py` to modify:
- HTML responses
- API endpoint data
- Server headers
- Version information

## ⚠️ Security Notice

**This is a test environment only:**
- ✅ Use for security testing and template validation
- ✅ Use in isolated lab environments  
- ❌ **Never expose to public networks**
- ❌ **Never use in production**

## 📚 References

- [CVE-2024-23113 Details](https://nvd.nist.gov/vuln/detail/CVE-2024-23113)
- [Fortinet Security Advisory](https://www.fortiguard.com/psirt/FG-IR-24-029)
- [CISA KEV Catalog](https://www.cisa.gov/news-events/alerts/2024/10/09/cisa-adds-three-known-exploited-vulnerabilities-catalog)
- [Nuclei Templates Repository](https://github.com/projectdiscovery/nuclei-templates)

## 📞 Support

For issues with this test environment:
1. Check the troubleshooting section
2. Review container logs
3. Verify Nuclei template syntax
4. Test with manual curl requests

---

**Remember**: This environment is for authorized security testing only. Always ensure you have permission before testing any systems.
File Snapshot

 [4.0K]  /data/pocs/ce7db180a1af7f482a3ff43a415adf45ba84c75a
├── [1.8K]  docker-compose.yml
├── [ 497]  Dockerfile
├── [6.0K]  README.md
└── [6.9K]  server.py

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →