2005.1.txt

2005-09-05T00:00:00
ID PACKETSTORM:39812
Type packetstorm
Reporter Francois Harvey
Modified 2005-09-05T00:00:00

Description

                                        
                                            `ID : 2005.1  
Product : Barracuda Spam Firewall Appliance  
Vendor : Barracuda networks  
Affected product : firmware <= 3.1.17  
Class : Directory Traveral, Remote Execution, Password   
Retrieving  
Remote : yes  
local : na  
Author : Francois Harvey <fharvey at securiweb dot net>  
Published date : 01/09/2005 (Initial Vendor contact 2005-06-14)  
CVE : CVE-MAP-NOMATCH  
Solution : Install Firmware 3.1.18  
Reference URL :   
http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1  
  
  
Summary  
======  
  
A remote "Directory Traversal" and "Remote Execution" vulnerability   
exist in Barracuda Spam Firewall appliance from Barracuda Networks   
(barracudanetworks.com). In the script "/cgi-bin/img.pl", used to show   
graph, the value of the "f" (filename) parameters is not sanitized.  
  
No authentification is required to exploit this remote vulnerability  
  
Other vulnerabilies exist in the advanced utilities section but admin   
privilege is needed.  
Affected product  
  
* Tested on Barracuda Spam Firewall firmware v.3.1.16 / v.3.1.17  
  
Note: on the spyware edition img.pl is present but not executable  
Note: on firmware 3.3.* the img.pl is img.cgi and they fixed the   
vulnerability  
  
Impact  
=====  
* Arbitrary file reading (as uid of the webserver)  
* Arbitrary file execution (as uid of the webserver)  
* Full reading of the system configuration  
* Audit of the Barracuda Spam firewall  
  
Description  
========  
Vulnerability #1  
---------------------------  
  
As see below the img.pl script try to unlink the file after the reading.   
The webserver user (nobody) should not have a lot of delete permission   
but you have been warned.  
  
In /cgi-bin/img.pl scripts  
  
my $file_img="/tmp/".CGI::param('f');  
open (IMG, $file_img) or die "Could not open image because: $!\n";  
...  
unlink ($file_img);  
  
The "magic" perl open function can also be used to execute commands. If   
the string finish by | the script will execute the command and pipe the   
output to the IMG file descriptor.  
  
file retreivial :  
f=../etc/passwd  
  
remote execution :  
f=../bin/ls|  
  
This vulnerability can be used to extract the admin password (see proof   
of concept)  
  
Vulnerability #2  
---------------------------  
  
In the utility section, it's possible to call some process to   
troubleshoot the Barracuda. In the command list we can use Dig and   
Tcpdump ( /cgi-bin/dig_device.cgi and /cgi-bin/tcpdump_device.cgi). The   
input string is validate with a list of valid char but both dig and   
tcpdump allow filesystem operation with standard parameters.  
  
Dig :  
  
The -f option makes dig operate in batch mode by reading a list of  
lookup requests to process from the file filename.  
  
Tcpdump :  
  
-r Read packets from file (which was created with the -w option).  
Standard input is used if file is ``-''.  
-w Write the raw packets to file rather than parsing and printing  
them out. They can later be printed with the -r option.   
Stan-  
dard output is used if file is ``-''.  
  
As the use of some character is prohibited, we can only interact with   
the current directory.  
  
Using -f <some_file_in_the_cgi-bin-directory> in the dig edit box allow   
the partial reading of source code. (grep DiG to reconstruct the code)  
  
Using -r in tcpdump edit box allow only a reading of a valid pcap file   
but we can know if a file exist.  
  
Using -w in tcpdump edit box should overwrite file in the cgi-bin   
directory. (not tested)  
  
Proof of concept  
===========  
  
http://<BarracudaHost>:8000/cgi-bin/img.pl?f=../home/emailswitch/code/config/current.conf  
  
* The config is in /home/emailswitch/code/config/current.conf  
* The config key for the password is system_password  
* The password is in clear text (!!)  
* The IP ACL for admin authentification is the config key :   
httpd_acl_ip_admin_address/httpd_acl_ip_admin_netmask  
* it's possible to desactivate for ~5 minutes the IP ACL (hint :   
look for the shell using by the user sa)  
  
Solution  
=====  
Firmware update 3.1.18 fix this issue  
  
Author  
=====  
Francois Harvey <fharvey at securiweb dot net>  
Security Analyst  
SecuriWeb inc.  
www.securiweb.net  
  
History  
=====  
  
2005-06-14 : Initial vendor contact  
2005-06-14 : Initial feedback from Barracuda Networks  
2005-07-* : Firmware 3.1.18 resolved this issue  
2005-08-17 : Confirmation to disclose the vulnerability  
2005-09-01 : Public disclosure  
  
  
`