Researchers have recently unveiled a proof-of-concept exploit that targets the RCE vulnerability (CVE-2022-39952) found in Fortinet’s FortiNAC network access control suite.
On February 16, Fortinet disclosed the vulnerability, assigning it a severity score of 9.8. The vendor cautioned that an unauthorized attacker could exploit it to write arbitrary files on the system and gain remote code execution abilities with the highest privileges.
Organizations currently using FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches were advised to prioritize implementing the available security updates.
Today, Horizon3 cybersecurity firm’s experts have published a technical post explaining the vulnerability and its potential exploits. The firm has also made available proof-of-concept (PoC) exploit code from its repository on GitHub.
The FortiNAC Exploit Explained
The PoC released involves writing a cron job to /etc/cron.d/, which triggers every minute to initiate a root reverse shell to grant remote code execution capabilities to the attackers. The analysts discovered that the CVE-2022-39952 fix removed ‘keyUpload.jsp,’ an endpoint that parses requests for a ‘key’ parameter, writes it on a config file, and then executes a bash script, ‘configApplianceXml.
The newly written file triggers the ‘unzip’ command in the bash script, which executes after the script calls “cd /. Unzip allows placing files in any paths provided that they do not traverse above the current working directory.
Consequently, an attacker can create a ZIP archive that carries the payload, specify where it should be extracted, and send it to the target endpoint using the key parameter. The ‘key’ parameter ensures that the malicious request reaches ‘keyUpload.jsp,’ – the unauthenticated endpoint that Fortinet removed in their renewed versions of FortiNAC.
The code provided by Horizon3 simplifies this process, which could be adopted and tweaked by malicious actors to develop weaponized exploits. Conversely, it could also aid defenders in building appropriate protection against attempts to exploit corporate networks.
In light of this, FortiNAC administrators are strongly advised to upgrade to a non-affected version of the product immediately, specifically FortiNAC 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer, and 7.2.0 or later.
