UPDATE--Fortinet has released a fix for a critical vulnerability in many versions of its FortiNAC product that can allow an attacker to execute arbitrary code with root privileges.
The flaw (CVE-2022-39952) lies specifically in the web server in the FortiNAC system and a remote attacker could exploit it to gain control of the file name and path on the server. Researchers at Horizon3 have released a proof-of-concept exploit for the bug, which specifically affects the keyUpload servlet.
Researchers at Shadowserver have seen exploit attempts against this vulnerability in the last couple of days.
“Examining the contents of keyUpload.jsp, we see that the unauthenticated endpoint will parse requests that supply a file in the key parameter, and if found, write it to /bsc/campusMgr/config.applianceKey. After successfully writing the file, a call to Runtime().Exec() executes a bash script located at /bsc/campusMgr/bin/configApplianceXml,” Zach Hanley of Horizon3 said in an analysis of the flaw.
“Just before the call to unzip, the bash script calls cd /. Unzip will allow placing files in any paths as long as they do not traverse above the current working directory. Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written.”
The bug affects the following versions of the FortiNAC appliance software: 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8, 8.7, 8.6, 8.5, and 8.3.
“Similar to the weaponization of previous archive vulnerability issues that allow arbitrary file write, we use this vulnerability to write a cron job to /etc/cron.d/payload. This cron job gets triggered every minute and initiates a reverse shell to the attacker,” Hanley said.
“We first create a zip that contains a file and specify the path we want it extracted. Then, we send the malicious zip file to the vulnerable endpoint in the key field. Within a minute, we get a reverse shell as the root user.”
The fixed versions of FortiNAC are 9.4.1, 9.2.6, 9.1.8, and 7.2.0.
This story was updated on Feb. 23 to add information about exploit attempts.