Exploit released for critical Fortinet RCE flaw, patch now

Security researchers have released a proof-of-concept exploit for a critical-severity vulnerability (CVE-2022-39952) in Fortinet's FortiNAC network access control suite.

Fortinet disclosed the security issue on February 16 and calculated a severity score of 9.8. The vendor warned that it could be leveraged by an unauthenticated attacker to write arbitrary files on the system and achieve remote code execution with the highest privileges.

Organizations using FortiNAC 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches were urged prioritize applying the available security updates.

Today, the researchers at Horizon3 cybersecurity company published a technical post detailing the vulnerability and how it can be exploited. Proof-of-concept (PoC) exploit code is also available from the company's repository on GitHub.

Attacking FortiNAC

The released PoC involves writing a cron job to /etc/cron.d/ that triggers every minute to initiate a root reverse shell to the attacker, giving them remote code execution capabilities.

The analysts discovered that the fix for CVE-2022-39952 removed 'keyUpload.jsp,' an endpoint that parses requests for a 'key' parameter, writes it on a config file, and then executes a bash script, 'configApplianceXml.'

Comparison between vulnerable and patched version
Comparison between vulnerable and patched versions (Horizon3)

The bash script executes the 'unzip' command on the newly written file, but just before that, the script calls "cd /."

The executed bash script
The executed bash script (Horizon3)

"Unzip will allow placing files in any paths as long as they do not traverse above the current working directory," Horizon3 explains.

"Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written," the researchers added.

Hence, an attacker can create a ZIP archive that contains the payload, specifying where it must be extracted, and then send it to the vulnerable endpoint using the key parameter. Horizon3 says the reverse shell should be ready within a minute.

The 'key' parameter ensures that the malicious request will reach 'keyUpload.jsp,' which is the unauthenticated endpoint that Fortinet removed in the fixed versions of FortiNAC.

Horizon's proof of concept exploit
Executing the PoC exploit (Horizon3)

The code from Horizon3 automates this process and could be picked up and modified by threat actors into a weaponized exploit. It can also help defenders build appropriate protection against exploitation attempts on corporate networks.  

FortiNAC administrators are strongly recommended to immediately upgrade to a version of the product that is not affected by the CVE-2022-39952 vulnerability., specifically FortiNAC 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer, and 7.2.0 or later.

Related Articles:

Exploit released for Fortinet RCE bug used in attacks, patch now

ScreenConnect critical bug now under attack as exploit code emerges

Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure

Fortinet warns of critical RCE bug in endpoint management software

Hackers exploit critical RCE flaw in Bricks WordPress site builder