Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-42475 - Heap-based Buffer Overflow in Fortinet SSL-VPN #10897

Open
1 task done
princechaddha opened this issue Oct 3, 2024 · 13 comments
Open
1 task done

CVE-2022-42475 - Heap-based Buffer Overflow in Fortinet SSL-VPN #10897

princechaddha opened this issue Oct 3, 2024 · 13 comments
Assignees

Comments

@princechaddha
Copy link
Member

Is there an existing template for this?

  • I have searched the existing templates.

Template requests

Title: CVE-2022-42475 - Heap-based Buffer Overflow in Fortinet SSL-VPN

Description:
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN (versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier) and FortiProxy SSL-VPN (versions 7.2.0 through 7.2.1, 7.0.7 and earlier) may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Severity: Critical (CVSS 9.8)

POC:

References:

Fortinet Advisory

Shodan Query:

port:10443 http.favicon.hash:945408572
cpe:"cpe:2.3:o:fortinet:fortios"
http.html:"/remote/login" "xxxxxxxx"

CPE:

  • cpe:2.3:o:fortinet:fortios::::::::
  • cpe:2.3:a:fortinet:fortiproxy::::::::

Anything else?

No response

@princechaddha
Copy link
Member Author

/bounty 200$

Copy link

algora-pbc bot commented Oct 3, 2024

💎 $200 bounty • ProjectDiscovery Bounty Available for CVE Template Contribution

Steps to Contribute:

  • Claim attempt: Comment /attempt #10897 on this issue to claim attempt.
  • Write the Template: Create a high-quality Nuclei template for the specified CVE, following our Contribution Guidelines and Acceptance Criteria.
  • Submit the Template: Open a pull request (PR) to projectdiscovery/nuclei-templates and include /claim #10897 in the PR body to claim the bounty.
  • Receive Payment: Upon successful merge of your PR, you will receive 100% of the bounty through Algora.io within 2-5 days. Ensure you are eligible for payouts.

Thank you for contributing to projectdiscovery/nuclei-templates and helping us democratize security!

Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors are required to provide debug data(-debug) along with the template to help the triage team with validation. Rewards will only be given once the template is fully validated by the team. Templates that are incomplete or invalid will not be accepted. Avoid adding code templates for CVEs that can be achieved using HTTP, TCP, or JavaScript. Such templates are blocked by default and won’t produce results, so we prioritize creating templates with other protocols unless exceptions are made.
You can check the FAQ for the Nuclei Templates Community Rewards Program here.

Add a bountyShare on socials

Attempt Started (GMT+0) Solution
🔴 @rogueloop Oct 5, 2024, 6:38:37 AM WIP
🔴 @anuj846k Oct 5, 2024, 9:32:21 AM WIP
🔴 @charlesmigel Dec 12, 2024, 9:05:25 AM WIP

@rogueloop
Copy link

rogueloop commented Oct 5, 2024

/attempt #10897

Algora profile Completed bounties Tech Active attempts Options
@rogueloop 1 bounty from 1 project
Java, C,
JavaScript & more
Cancel attempt

@anuj846k
Copy link

anuj846k commented Oct 5, 2024

/attempt #10897

Copy link

algora-pbc bot commented Oct 5, 2024

Note

The user @rogueloop is already attempting to complete issue #10897 and claim the bounty. We recommend checking in on @rogueloop's progress, and potentially collaborating, before starting a new solution.

@sec13b
Copy link

sec13b commented Oct 9, 2024

http/exposed-panels/fortinet/fortios-panel.yaml

Copy link

algora-pbc bot commented Oct 9, 2024

@rogueloop: Reminder that in 4 days the bounty will become up for grabs, so please submit a pull request before then 🙏

@sec13b
Copy link

sec13b commented Oct 9, 2024

I think is impossible to make template for this cve , the base address of libc is hard coded.
rdi ,cmd,asdf these offsets are in libc and you dont know them , any device have another base address (i think),

all base address are copied from all cve exploit (POC) you find on github are copied from scrt .

POC

    https://github.com/0xhaggis/CVE-2022-42475
    https://github.com/CKevens/CVE-2022-42475-RCE-POC
    https://github.com/Amir-hy/cve-2022-42475
    https://github.com/Mustafa1986/cve-2022-42475-Fortinet
    https://github.com/natceil/cve-2022-42475
    https://github.com/scrt/cve-2022-42475   *

base address
#hardcoded value which would probably need to be bruteforced or leaked

rdi = p64(hardcoded + 0xc48)
cmd = p64(hardcoded + 0xd38)
asdf = hardcoded + 0xd38

scrt he did not offer any explanation at "Question about libc offset (0xc48 and 0xd38)" to the question asked by mekhalleh

Copy link

algora-pbc bot commented Oct 9, 2024

@anuj846k: Reminder that in 4 days the bounty will become up for grabs, so please submit a pull request before then 🙏

Copy link

algora-pbc bot commented Oct 13, 2024

The bounty is up for grabs! Everyone is welcome to /attempt #10897 🙌

@charlesmigel
Copy link

charlesmigel commented Dec 12, 2024

/attempt #10897

Copy link

algora-pbc bot commented Dec 16, 2024

@charlesmigel: Reminder that in 4 days the bounty will become up for grabs, so please submit a pull request before then 🙏

Copy link

algora-pbc bot commented Dec 20, 2024

The bounty is up for grabs! Everyone is welcome to /attempt #10897 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants
@princechaddha @ritikchaddha @rogueloop @sec13b @anuj846k @charlesmigel and others