From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 5 Sep 2005 16:40:56 +0200
Subject: [NEWS] Barracuda Spam Firewall Appliance (Directory Traveral, Remote Execution, Password Retrieving)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050905140147.B383B57FE@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Barracuda Spam Firewall Appliance (Directory Traveral, Remote Execution,
Password Retrieving)
------------------------------------------------------------------------
SUMMARY
A remote Directory Traversal and Remote Execution vulnerability exist in
Barracuda Spam Firewall appliance from <http://barracudanetworks.com>;
Barracuda Networks. In the script "/cgi-bin/img.pl", used to show graph,
the value of the "f" (filename) parameters is not sanitized.
No authentication is required to exploit this remote vulnerability
Other vulnerabilities exist in the advance utilities section but
administrative privileges are needed.
DETAILS
Vulnerable Systems:
* Barracuda Spam Firewall firmware version 3.1.16
* Barracuda Spam Firewall firmware version 3.1.17
Immune Systems:
* Barracuda Spam Firewall firmware version 3.1.18
Vulnerability #1
As see below the img.pl script try to unlink the file after the reading.
The webserver user (nobody) should not have a lot of delete permission but
you have been warned.
In /cgi-bin/img.pl scripts
my $file_img="/tmp/".CGI::param('f');
open (IMG, $file_img) or die "Could not open image because: $!\n";
..
unlink ($file_img);
The "magic" perl open function can also be used to execute commands. If
the string finish by | the script will execute the command and pipe the
output to the IMG file descriptor.
File retrieval:
f=../etc/passwd
Remote execution:
f=../bin/ls|
This vulnerability can be used to extract the admin password (see proof of
concept).
Vulnerability #2
In the utility section, it's possible to call some process to troubleshoot
the Barracuda. In the command list we can use Dig and Tcpdump (
/cgi-bin/dig_device.cgi and /cgi-bin/tcpdump_device.cgi). The input string
is validate with a list of valid char but both dig and tcpdump allow
filesystem operation with standard parameters.
Dig :
The -f option makes dig operate in batch mode by reading a list of
lookup requests to process from the file filename.
Tcpdump :
-r Read packets from file (which was created with the -w option).
Standard input is used if file is ``-''.
-w Write the raw packets to file rather than parsing and printing
them out. They can later be printed with the -r option.
Stan-
dard output is used if file is ``-''.
As the use of some character is prohibited, we can only interact with the
current directory.
Using -f <some_file_in_the_cgi-bin-directory> in the dig edit box allow
the partial reading of source code. (grep DiG to reconstruct the code)
Using -r in tcpdump edit box allow only a reading of a valid pcap file but
we can know if a file exist.
Using -w in tcpdump edit box should overwrite file in the cgi-bin
directory. (not tested)
Proof of concept
http://<BarracudaHost>:8000/cgi-bin/img.pl?f=../home/emailswitch/code/config/current.conf
* The configuration is in /home/emailswitch/code/config/current.conf
* The configuration key for the password is system_password
* The password is in clear text (!!)
* The IP ACL for administrative authentication is the configuration key :
httpd_acl_ip_admin_address/httpd_acl_ip_admin_netmask
* It's possible to desactivate for ~5 minutes the IP ACL (hint : look for
the shell using by the user ca)
Solution:
Firmware update 3.1.18 fix this issue (3.3.* is also safe)
ADDITIONAL INFORMATION
The information has been provided by <mailto:fharvey@securiweb.net.>
Francois Harvey.
The original article can be found at:
<http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1>;
http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
