Local Privilege Escalation in Fortinet FortiClientLinux via Symlinked Shared Object Loading

This repository is a small local privilege-escalation exploit for CVE-2026-24018 affecting Fortinet FortiClientLinux. It contains only two files: a README describing the target vulnerability and a single Bash exploit script, exploit.sh, which is the main entry point. The exploit is not part of a larger framework. Its purpose is to abuse a symlink-following issue in FortiClient Linux by modifying a VPN profile through /opt/forticlient/forticlient-cli so that FortiClient later loads an attacker-controlled shared object from /tmp/evil.so. The script supports a default mode that automatically prepares a profile and a more interactive mode where the operator can choose a VPN name and provide an arbitrary command to run as root. Operational flow: 1. Verifies FortiClient is installed at /opt/forticlient. 2. Prepares a malicious shared library. If gcc is present, it writes a small C source file and compiles it as /tmp/evil.so; otherwise it decodes a bundled base64 ELF shared object. 3. The shared object’s _init() function calls setuid(0), setgid(0), and executes bash /tmp/fortinet.sh. 4. The script writes /tmp/fortinet.sh containing either a default payload that copies /bin/sh to /tmp/sh and sets mode 4755, or an operator-supplied command. 5. It edits a FortiClient VPN profile using piped input to forticlient-cli, inserting /tmp/evil.so into the vulnerable configuration path. 6. It attempts to identify or set GUI environment variables (DISPLAY and XAUTHORITY), then launches /opt/forticlient/fortitray and /opt/forticlient/gui/FortiClient to trigger the vulnerable code path. 7. In the default path, it waits briefly and then executes /tmp/sh -p to obtain a root shell. If no GUI session is active, it can optionally drop ~/.config/autostart/forticlient.desktop so the GUI launches automatically on next login and triggers the payload later. The exploit is clearly functional exploit code rather than a detector. It is operational because it includes a working payload and fallback binary blob, but it is not highly modular or framework-based. There are no external network callbacks or C2 endpoints; the only network-like observables are local VPN configuration values such as 127.0.0.1:10443 and port 443 used as profile data during setup. The main fingerprintable artifacts are the FortiClient installation paths, the dropped files in /tmp, and the optional autostart desktop entry.