Fortinet FortiNAC - Remote Code Execution (CVE-2022-39952)

Fortinet FortiNAC server is vulnerable to CVE-2022-39952, a Remote Code Execution through an Arbitrary File Upload vulnerability, affecting the <code>/configWizard/keyUpload.jsp</code>. The root cause of this vulnerability consists in poor handling of user uploaded archives via the <b>KeyUpload.jsp</b> endpoint. The archives are automatically extracted as the <code>root</code> user in the <code>/</code> directory, allowing an attacker to upload any file anywhere in the filesystem via a maliciously crafted zip archive. Through this vulnerability, a threat actor can upload a payload file in the <code>/etc/cron.d/</code> directory and execute arbitrary commands via the <b>cron</b> service.

福坦特（Fortinet）FortiNAC服务器存在CVE-2022-39952漏洞，该漏洞通过任意文件上传实现远程代码执行，影响至<code>/configWizard/keyUpload.jsp</code>。此漏洞的根本原因在于对用户上传的存档处理不当，通过<b>KeyUpload.jsp</b>端点自动提取存档作为<code>root</code>用户在根目录<code>/</code>下执行，使得攻击者能够通过精心构造的恶意zip存档在任何文件系统位置上传任意文件。利用此漏洞，攻击者可在<code>/etc/cron.d/</code>目录中上传payload文件，并通过<b>cron</b>服务执行任意命令。