module
Fortinet FortiNAC keyUpload.jsp arbitrary file write
| Disclosed |
|---|
| Feb 16, 2023 |
Disclosed
Feb 16, 2023
Description
This module uploads a payload to the /tmp directory in addition to a cron job
to /etc/cron.d which executes the payload in the context of the root user.
The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which
is accessible remotely and without authentication. When you send the vulnerable
endpoint a ZIP file, it will extract an attacker controlled file to a directory
of the attackers choice on the target system.
This issue is exploitable on the following versions of FortiNAC:
FortiNAC version 9.4 prior to 9.4.1
FortiNAC version 9.2 prior to 9.2.6
FortiNAC version 9.1 prior to 9.1.8
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions
to /etc/cron.d which executes the payload in the context of the root user.
The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which
is accessible remotely and without authentication. When you send the vulnerable
endpoint a ZIP file, it will extract an attacker controlled file to a directory
of the attackers choice on the target system.
This issue is exploitable on the following versions of FortiNAC:
FortiNAC version 9.4 prior to 9.4.1
FortiNAC version 9.2 prior to 9.2.6
FortiNAC version 9.1 prior to 9.1.8
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.