CVE-2021-3378
published 2021-02-01CVE-2021-3378: FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
97.51%
99.9th percentile
FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortilogger | fortilogger | < 5.2.0 | 5.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /Config/SaveUploadedHotspotLogoFile with a multipart/form-data body containing 'Content-Type: image/png' — this is the upload vector for the webshell. ↗
- →Detect subsequent GET requests to /Assets/temp/hotspot/img/logohotspot.asp (or .txt variant) immediately after the upload POST — this is the webshell execution step. ↗
- →Flag POST requests to /shared/GetProductInfo with an empty body and X-Requested-With: XMLHttpRequest header — used by the Metasploit module to fingerprint vulnerable FortiLogger 4.4.2.2 instances before exploitation. ↗
- →Alert on HTTP responses from FortiLogger containing JSON key 'Version' equal to '4.4.2.2' — this is the version check used by the exploit module to confirm a vulnerable target. ↗
- →Monitor for ASP.NET responses (header containing 'ASP.NET') from /Assets/temp/hotspot/img/ paths — successful webshell execution will return HTTP 200 with ASP.NET headers. ↗
- →The exploit targets TCP port 5000 by default on Windows hosts running FortiLogger — scope network detection rules to this port. ↗
- ·The Metasploit module uses a randomized WebKit form boundary (----WebKitFormBoundary + random alphanumeric), so the exact boundary string will vary per request. The Nuclei template uses a static boundary for PoC purposes only. ↗
- ·The Metasploit module version check targets exactly '4.4.2.2', but the GitHub source notes the module has been tested on versions < 5.2.0 — detection should not be scoped only to 4.4.2.2. ↗
- ·The uploaded payload is converted to an ASP webshell via Msf::Util::EXE.to_exe_asp — the file extension at the destination will be .asp, enabling server-side execution on IIS/ASP.NET backends. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)
exploitdb·2021-03-01
CVE-2021-3378 FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)
FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'FortiLogger Arbitrary File Upload Exploit',
'Description' => %q{
This module exploits an unauthenticated arbitrary file upload
via insecure POST request. It has been tested on version 4.4.2.2 in
Windows 10 Enterprise.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Berkan Er ' # Vulnerability discovery, PoC and Metasploit module
],
'References' =>
[
['CVE', '2021-3378'],
['URL', 'https://erberkan.github.io/2021/cve-2021-3378/']
],
'Platform' => ['win'],
'Privileged' => false,
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[
'FortiLogger - 4.4.2.2',
{
'Plat
Nuclei
FortiLogger 4.4.2.2 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2021-3378 [CRITICAL] FortiLogger 4.4.2.2 - Arbitrary File Upload
FortiLogger 4.4.2.2 - Arbitrary File Upload
FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp.
Template:
id: CVE-2021-3378
info:
name: FortiLogger 4.4.2.2 - Arbitrary File Upload
author: dwisiswant0
severity: critical
description: |
FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp.
impact: |
Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, and potential compromise of the affected system.
remediation: |
Apply the latest sec
Metasploit
FortiLogger Arbitrary File Upload Exploit
metasploit
FortiLogger Arbitrary File Upload Exploit
FortiLogger Arbitrary File Upload Exploit
This module exploits an unauthenticated arbitrary file upload via insecure POST request. It has been tested on versions < 5.2.0 in Windows 10 Enterprise.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161601/FortiLogger-4.4.2.2-Arbitrary-File-Upload.htmlhttp://packetstormsecurity.com/files/161974/FortiLogger-Arbitrary-File-Upload.htmlhttps://github.com/erberkan/fortilogger_arbitrary_fileuploadhttp://packetstormsecurity.com/files/161601/FortiLogger-4.4.2.2-Arbitrary-File-Upload.htmlhttp://packetstormsecurity.com/files/161974/FortiLogger-Arbitrary-File-Upload.htmlhttps://github.com/erberkan/fortilogger_arbitrary_fileupload
2021-02-01
Published