[Fortinet] Management Panel Authentication Bypass
Original Post:
We discussed this vulnerability during Episode 159 on 17 October 2022
Authentication to the Fortinet management panel for various applications could be bypassed by meeting two conditions, the resolved client-ip is 127.0.0.1
and the user-agent is Report Runner
The first could be met by providing a crafted Forwarded
header, the second is always under the control of the attacker anyhow. With that they could access administrative functionality, though they could not change the admin user’s password. Instead they were able to add an extra SSH key to the admin user and use the command line interface.