Abstract

FortiGate has been an appealing target in recent years. At the start of 2024, Fortinet patched two critical vulnerabilities affecting its FortiGate device, namely CVE-2024-21762 and CVE-2024-23113, both of which could be used to achieve unauthenticated remote code execution. In this presentation, we will describe how we use the patch diffing technique to locate these two vulnerabilities, and how to achieve reliable code execution on the device.

On FortiGate, nearly all programs and configurations are compiled into a single huge binary /bin/init. Every coin has two sides. It's easier to find rop gadgets with such a huge binary, but it's really a headache when doing patch diffing. First, we will share how we use a trick to make the patch diffing easier, and able to identify these two vulnerabilities quickly.

Regarding the vulnerabilities, CVE-2024-23113 is a format string vulnerability found in the fgfmd component. We will give a brief introduction to the protocol format utilized to communicate with the fgfmd service, then share how we use the partial emulation technique to exploit the vulnerability without requiring a running device. The more interesting one is CVE-2024-21762, an out-of-bounds write vulnerability in the sslvpnd component. The challenge with this write primitive lies in the inability to control what is written. In early March 2024, we firstly published a Chinese blog (https://mp.weixin.qq.com/s/FFjIMzbLBxwO7hHZJF6Zuw) to demonstrate its exploitability. We will share how we use the heap fengshui technique to exploit this vulnerability more reliably and achieve code execution.