Barracuda Networks Backup Appliance Cross Site Scripting

`Document Title:  
===============  
Barracuda Networks Backup Appliance Application - Persistent Web Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=784  
  
BARRACUDA NETWORK SECURITY ID: BNSEC-885  
  
  
Release Date:  
=============  
2014-02-26  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
784  
  
  
Common Vulnerability Scoring System:  
====================================  
3.5  
  
  
Product & Service Introduction:  
===============================  
Barracuda Backup Service is a complete and affordable data backup solution. The Barracuda Backup   
Server provides a full local data backup and is combined with a storage subscription to replicate   
data to two offsite locations. This approach provides the best of both worlds - onsite backups for   
fast restore times and secure, offsite storage for disaster recovery. Block level deduplication is   
applied inline to reduce traditional backup storage requirements by 20 to 50 times while also   
reducing backup windows and bandwidth requirements. Cloud Storage with Deduplication  
  
Barracuda Backup Subscription plans provide diverse offsite storage at affordable monthly fees that   
scale to meet increasing data requirements.  
  
* Secure backup to two geo-separate data centers  
* Deduplicated efficient backup storage  
* Redundant disk-based storage  
* Best-of-breed data retention policies  
* Web interface multi-location management  
* Restore by Web, FTP and Windows software  
  
(Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/backup_overview.php)  
  
  
Abstract Advisory Information:  
==============================  
The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Barracuda Networks Backup appliance web-application.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2013-12-02: Researcher Notification & Coordination (Benjamin Kunz Mejri)  
2013-12-04: Vendor Notification (Barracuda Networks Security Team)  
2013-12-08: Vendor Response/Feedback (Barracuda Networks Security Team)  
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team)  
2014-02-26: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
Technical Details & Description:  
================================  
A persistent web vulnerability has been discovered in the official Barracuda Networks Backup appliance web-application.  
The bugs allows remote attackers to inject own malicious script code on the application side (persistent) of the service.  
  
The persistent vulnerability is located in the `remote_host` value of the `Extern Backup` module. Remote attackers are able   
to inject via POST method request own malcious script codes as remote_host. The result is the persistent (application-side)   
execution out in the vulnerable remote_host list module. The attack vector is persistent on the application-side and the   
request method to inject is POST. The security risk of the persistent input validation web vulnerability is estimated as   
medium with a cvss (common vulnerability scoring system) count of 3.5(+)|(-)3.6.  
  
Exploitation of the persistent web vulnerability requires low user interaction and a low privileged web-application appliance   
user account. Successful exploitation of the vulnerability results in persistent session hijacking (admin/auditor), persistent   
phishing (application-side), persistent external redirect and persistent manipulation of affected or connected vulnerable modules.  
  
Request Method(s):  
[+] POST  
  
Vulnerable Section(s):  
[+] Jetz Sichern  
  
Vulnerable Module(s):  
[+] Extern Backup > Ziel hinzufügen (Add Target) - Listing   
  
Vulnerable Parameter(s):  
[+] remote_host (Exception-Handling) - Error (Invalid)  
  
  
Proof of Concept (PoC):  
=======================  
The persistent input validation vulnerability can be exploited by remote attacker with low privileged application user account and   
low required user interaction. For demonstration or reproduce ...  
  
Review: Jetz Sichern > Extern Backup > Ziel hinzufügen > [remote_host] > Listing   
  
<div class="fieldGroupInfo">You can optionally choose a Backup Server from your account to load the required info automatically,   
or enter it manually.</div>  
  
<div class="fieldGroupError"></div>  
</div>  
<div class="replication_wrapper">  
<div class="fieldGroup statusError"><label class="ultraform_label">Ziel-IP-Adresse:</label>  
<span><div class="alba-placeholder" style="position: absolute; background: none repeat scroll 0% 0% transparent;   
border-color: transparent; border-style: solid; height: 17px; width: 241px; padding: 2px 3px; font-size: 13px; font-family:   
Arial,'Liberation Sans',FreeSans,sans-serif; font-weight: 400; font-style: normal; letter-spacing: normal; line-height: 16px;   
text-align: start; text-decoration: none; border-width: 1px; vertical-align: middle; cursor: text; overflow: hidden; text-overflow:   
ellipsis; white-space: nowrap; -moz-user-select: none; color: rgba(0, 0, 0, 0.35); top: 79px; left: 268px; display: none;">  
Ziel-Hostname oder IP-Adresse</div><input _placeholder="Ziel-Hostname oder IP-Adresse" size="35"   
name="remote_host" value="">"<iframe src=a>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!];) <" content_source=""   
id="remote_host" type="text">  
</span><span class="fieldGroupStatus"> </span>  
<div class="fieldGroupInfo">Geben Sie die IP-Adresse oder den Hostnamen des Ziel-Backup-Servers ein. Die Adresse muss von diesem Backup   
Server aus erreichbar sein. Alternative Portnummern können angegeben werden. Beispiel: 192.168.1.2:5001</div>  
<div class="fieldGroupError">Sie haben keine Erlaubnis zum Hinzufügen oder Editieren von Ziel-Backup-Servern.</div>  
</div>  
  
  
Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by a secure encode and parse of the remote_host value in the `Extern Backup` module of the `Ziel hinzufügen` function.  
Restrict the remote_host input fields and filter the POST method request after the regular mask validation to prevent script code injection attacks.  
  
  
Security Risk:  
==============  
The security risk of the persistent web vulnerability is estimated as medium because of the location in the remote_host exception-handling.  
  
  
Credits & Authors:  
==================  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases   
or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Contact: [email protected] - [email protected] - [email protected]  
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.   
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other   
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and   
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),   
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.  
  
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]  
  
  
--   
VULNERABILITY LABORATORY RESEARCH TEAM  
DOMAIN: www.vulnerability-lab.com  
CONTACT: [email protected]  
  
`