|
|
| |
A remote Directory Traversal and Remote Execution vulnerability exist in Barracuda Spam Firewall appliance from Barracuda Networks. In the script "/cgi-bin/img.pl", used to show graph, the value of the "f" (filename) parameters is not sanitized.
No authentication is required to exploit this remote vulnerability
Other vulnerabilities exist in the advance utilities section but administrative privileges are needed. |
| |
Credit:
The information has been provided by Francois Harvey.
The original article can be found at: http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1
|
| |
Vulnerable Systems:
* Barracuda Spam Firewall firmware version 3.1.16
* Barracuda Spam Firewall firmware version 3.1.17
Immune Systems:
* Barracuda Spam Firewall firmware version 3.1.18
Vulnerability #1
As see below the img.pl script try to unlink the file after the reading. The webserver user (nobody) should not have a lot of delete permission but you have been warned.
In /cgi-bin/img.pl scripts
my $file_img="/tmp/".CGI::param('f');
open (IMG, $file_img) or die "Could not open image because: $!\n";
...
unlink ($file_img);
The "magic" perl open function can also be used to execute commands. If the string finish by | the script will execute the command and pipe the output to the IMG file descriptor.
File retrieval:
f=../etc/passwd
Remote execution:
f=../bin/ls|
This vulnerability can be used to extract the admin password (see proof of concept).
Vulnerability #2
In the utility section, it's possible to call some process to troubleshoot the Barracuda. In the command list we can use Dig and Tcpdump ( /cgi-bin/dig_device.cgi and /cgi-bin/tcpdump_device.cgi). The input string is validate with a list of valid char but both dig and tcpdump allow filesystem operation with standard parameters.
Dig :
The -f option makes dig operate in batch mode by reading a list of lookup requests to process from the file filename.
Tcpdump :
-r Read packets from file (which was created with the -w option).
Standard input is used if file is ``-''.
-w Write the raw packets to file rather than parsing and printing
them out. They can later be printed with the -r option. Stan-
dard output is used if file is ``-''.
As the use of some character is prohibited, we can only interact with the current directory.
Using -f <some_file_in_the_cgi-bin-directory> in the dig edit box allow the partial reading of source code. (grep DiG to reconstruct the code)
Using -r in tcpdump edit box allow only a reading of a valid pcap file but we can know if a file exist.
Using -w in tcpdump edit box should overwrite file in the cgi-bin directory. (not tested)
Proof of concept
http://<BarracudaHost>:8000/cgi-bin/img.pl?f=../home/emailswitch/code/config/current.conf
* The configuration is in /home/emailswitch/code/config/current.conf
* The configuration key for the password is system_password
* The password is in clear text (!!)
* The IP ACL for administrative authentication is the configuration key : httpd_acl_ip_admin_address/httpd_acl_ip_admin_netmask
* It's possible to desactivate for ~5 minutes the IP ACL (hint : look for the shell using by the user ca)
Solution:
Firmware update 3.1.18 fix this issue (3.3.* is also safe)
|
|
|
|
|
|
|
|
