Security researchers have released a proof-of-concept exploit for a critical-severity vulnerability (CVE-2022-39952) in Fortinet’s FortiNAC network access control suite.
Fortinet disclosed the security issue on February 16 and calculated a severity score of 9.8. The vendor warned that it could be leveraged by an unauthenticated attacker to write arbitrary files on the system and achieve remote code execution with the highest privileges.
Organizations using FortiNAC 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches were urged prioritize applying the available security updates.
Today, the researchers at Horizon3 cybersecurity company published a technical post detailing the vulnerability and how it can be exploited. Proof-of-concept (PoC) exploit code is also available from the company’s repository on GitHub.
Attacking FortiNAC
The released PoC involves writing a cron job to /etc/cron.d/ that triggers every minute to initiate a root reverse shell to the attacker, giving them remote code execution capabilities.
The analysts discovered that the fix for CVE-2022-39952 removed ‘keyUpload.jsp,’ an endpoint that parses requests for a ‘key’ parameter, writes it on a config file, and then executes a bash script, ‘configApplianceXml.’
The bash script executes the ‘unzip’ command on the newly written file, but just before that, the script calls “cd /.”
“Unzip will allow placing files in any paths as long as they do not traverse above the current working directory,” Horizon3 explains.
“Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written,” the researchers added.
Hence, an attacker can create a ZIP archive that contains the payload, specifying where it must be extracted, and then send it to the vulnerable endpoint using the key parameter. Horizon3 says the reverse shell should be ready within a minute.
The ‘key’ parameter ensures that the malicious request will reach ‘keyUpload.jsp,’ which is the unauthenticated endpoint that Fortinet removed in the fixed versions of FortiNAC.
The code from Horizon3 automates this process and could be picked up and modified by threat actors into a weaponized exploit. It can also help defenders build appropriate protection against exploitation attempts on corporate networks.
FortiNAC administrators are strongly recommended to immediately upgrade to a version of the product that is not affected by the CVE-2022-39952 vulnerability., specifically FortiNAC 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer, and 7.2.0 or later.
