exploit the possibilities

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 2 of 2

Files from Zach Hanley

Fortinet FortiNAC keyUpload.jsp Arbitrary File Write

Posted Mar 15, 2023

Authored by jheysel-r7, Zach Hanley, Gwendal Guegniaud | Site metasploit.com

This Metasploit module uploads a payload to the /tmp directory in addition to a cron job to /etc/cron.d which executes the payload in the context of the root user. The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which is accessible remotely and without authentication. When you send the vulnerable endpoint a ZIP file, it will extract an attacker controlled file to a directory of the attackers choice on the target system. This issue is exploitable on FortiNAC versions 9.4 prior to 9.4.1, FortiNAC versions 9.2 prior to 9.2.6, FortiNAC versions 9.1 prior to 9.1.8, all versions of FortiNAC 8.8, all versions of FortiNAC 8.7, all versions of FortiNAC 8.6, all versions of FortiNAC 8.5, and all versions of FortiNAC 8.3.

tags | exploit, arbitrary, root

advisories | CVE-2022-39952

SHA-256 | b72056fdc9840a37268bab3325c1941ddb0082c5918cf14fec39001b268b461d

Download | Favorite | View

Fortinet FortiOS / FortiProxy / FortiSwitchManager Authentication Bypass

Posted Oct 19, 2022

Authored by Heyder Andrade, Zach Hanley | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API to gain access to a chosen account and then adds an SSH key to the authorized_keys file of the chosen account, allowing you to login to the system with the chosen account. Successful exploitation results in remote code execution.

tags | exploit, remote, code execution, bypass

advisories | CVE-2022-40684

SHA-256 | 818eeb4d404c8cde2ab69451948a6037ca08bef60e2be65eb6fe9ed9d7ef0e7d

Download | Favorite | View