*CVE-2022-35844* is a vulnerability in Fortinet FortiTester that allows attackers to run unauthorized commands on the operating system (OS) through its management interface, exploiting improper command sanitization. This post will break down how the bug works, what an exploit might look like, and how you can defend your system.

Impact: Authenticated attackers can execute arbitrary commands as the web interface user

- CWE: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')  
- Mitigation: Update to a patched version, restrict web interface access, monitor for suspicious command execution

What’s CVE-2022-35844?

At its core, CVE-2022-35844 is a command injection vulnerability. The problem lies in the certificate import process, where user input isn’t properly sanitized. An attacker logged into the management web interface can provide specially crafted certificate data or arguments that injects OS commands, which are then executed by the system.

In simpler terms: Anyone with a FortiTester login could potentially run any command they want on your device, using the web panel’s certificate import page.

Where’s the Problem?

The weakness is in how FortiTester shells out to the operating system when importing certificates. It expects regular file names and certificate data, but doesn’t scrub special characters like ;, &, |, or backticks, all of which can let a user escape and write extra commands.

FortiTester 7.. – 7.1.

Note: If you’re on one of these versions, *update immediately*.

Authenticated Attacker logs into the FortiTester web panel.

2. They go to the certificate import functionality (used to upload and install SSL/TLS certs).
3. Instead of a normal certificate, the attacker uploads content or names the file in a way that includes a command separator and an actual system command.

If the backend uses something like

os.system('openssl x509 -in ' + uploaded_file)

and the attacker uploads a file named

cert.pem; id > /tmp/pwned.txt; #

the resulting command will be

openssl x509 -in cert.pem; id > /tmp/pwned.txt; #


The system then runs openssl x509 -in cert.pem, thenid (showing system user) with its output going to /tmp/pwned.txt.

Example Exploit – Proof of Concept

For educational purposes only. Do not use this on networks you don’t own or have permission to test.

> This is a conceptual example, actual implementations may differ depending on the backend.

Step 3: Choose a file and rename it to

dummy.pem; cat /etc/passwd > /tmp/passed.txt; #

or, in the certificate field, try something like

-----BEGIN CERTIFICATE-----
dummy
-----END CERTIFICATE-----
; uname -a > /tmp/owned.txt; #

Step 4: Trigger the import. If the backend fails to neutralize input, the command will be executed, and you’ll find /tmp/owned.txt with the system info.

- Fortinet FG-IR-22-272 Advisory
- NVD CVE Entry
- Mitre CVE
- Common Weakness Enumeration - CWE-78

Patch Immediately!

Upgrade to the latest fixed FortiTester release.

Monitor Logs:

Look for suspicious entries in logs or unexplained files in /tmp or user directories.

Conclusion

CVE-2022-35844 is a textbook example of why user input sanitization is vital, even in seemingly low-risk features like certificate importers. If you’re running a vulnerable FortiTester, patch now, review access logs, and audit your deployments.

Stay safe out there!

*This post is original content for educational purposes and intended for security professionals, blue teamers, and system administrators.*

Timeline

Published on: 10/18/2022 14:15:00 UTC
Last modified on: 10/20/2022 18:50:00 UTC