FortiMail Unauthenticated Login Bypass Scanner

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name' => 'FortiMail Unauthenticated Login Bypass Scanner',
      'Description' => %q{
        This module attempts to detect instances of FortiMail vulnerable
        against an unauthenticated login bypass (CVE-2020-9294).
      },
      'Author' => [
        'Mike Connor', # Initial Vulnerability discovery
        'Juerg Schweingruber <juerg.schweingruber[at]redguard.ch>', # Vulnerability Re-Discovery
        'Patrick Schmid <patrick.schmid[at]redguard.ch>' # Exploit Development & MSF module
      ],
      'References' => [
        ['CVE', '2020-9294'],
        ['URL', 'https://www.fortiguard.com/psirt/FG-IR-20-045'],
        ['URL', 'https://www.redguard.ch/blog/2020/07/02/fortimail-unauthenticated-login-bypass/']
      ],
      'License' => MSF_LICENSE
    )

    register_options([
      OptString.new('TARGETURI', [true, 'Path to the FortiMail admin page', '/admin/AdminLogin.html']),
      Opt::RPORT(443)
    ])

    register_advanced_options([
      OptBool.new('SSL', [true, 'Negotiate SSL connection', true])
    ])
  end

  def target_url
    proto = 'http'
    if (rport == 443) || ssl
      proto = 'https'
    end
    uri = normalize_uri(datastore['URI'])
    "#{proto}://#{vhost}:#{rport}#{uri}"
  end

  def run_host(ip)
    vprint_status("Checking vulnerability at #{ip}")
    uri = normalize_uri(target_uri.path)

    res = send_request_raw({
      'method' => 'GET',
      'uri' => uri
    })

    return :abort unless res # prints default connection error messages

    if res.code == 301
      vprint_error("#{ip} - Page redirect to #{res.headers['Location']}")
      return :abort
    end

    unless res.code == 200
      vprint_bad("#{ip} - No version of FortiMail detected")
      return :abort
    end

    version_raw = res.body[/fml-admin-login-(\d+).js/, 1]
    version = version_raw.to_i
    unless (res.body.include?('newpassword') && (version.between?(140, 160) || version.between?(730, 745) || version.between?(250, 263)))
      print_bad("#{ip} - Not vulnerable version (Build: #{version_raw}) of FortiMail detected")
      return :abort
    end

    print_good("#{ip} - Vulnerable version (Build: #{version_raw}) of FortiMail detected")

    report_vuln(
      host: rhost,
      port: rport,
      name: 'FortiMail Login Bypass',
      refs: references
    )
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    # noop
  rescue ::Timeout::Error, ::Errno::EPIPE
    # noop
  rescue ::OpenSSL::SSL::SSLError => e
    return if (e.to_s.match(/^SSL_connect /)) # strange errors / exception if SSL connection aborted
  end
end