Cybersecurity researchers have released POC-EXECTION for critical vulnerability cve-2022-39952 (CVSS: CVSS: CVSS: CVSS: CVSS: CVSS: CVSS: 9.8) In the Fortinac access control package from Fortinet.
Fortinet announced the security problem on February 16 and warned that an attacker who has not passed authenticity has not been used can use a vulnerability to record arbitrary files in the system and remote code execution with the highest privileges.
to organizations using Fortinac 7.2.0, 9.1.0 or higher, from 9.2.0 to 9.2.6, 9.4.0, 9.4.1 or higher, as well as all versions 8.3, 8.5, 8.6, 8.7, 8.8, as well as It is strongly recommended to urgently apply available security updates.
Today, cybersecurity researchers from the IB-company Horizon3 in detail described the vulnerability of and methods of its use. The POC-Exflore code is also available at company repositories on github.
The released POC includes the recording of the “Cron” task in ”/etc/cron.d/, which works every minute to initiate the reversal“ Root ”for the attacker, providing him with the opportunity to remove code.
Analysts found that the correction for the CVE-2022-39952 deleted “Keyupload.jsp”, the end point that analyzes the requests for the “Key” parameter, writes it to the configuration file, and then performs the Bash-scenario “ConfigAppliancexml”.
Bash scenario unpacked the file just recorded, which allows you to post arbitrary files along any paths if they do not go beyond the current working catalog.
Therefore, an attacker can create a ZIP archive with a payload, indicating where it needs to be removed and then send the file to a vulnerable device. P the words Horizon3, the reverse shell (Reverse Shell) should be ready for 1 minute.
Horizon3 code automates this process, and the hacker can change it, turning it into a real exploit. It can also help ib specialists create appropriate protection against attempts to operate corporate networks.