Barracuda Networks MDM - Persistent Mail Vulnerability

2016-02-04T00:00:00
ID VULNERLAB:1315
Type vulnerlab
Reporter Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Modified 2016-02-04T00:00:00

Description

                                        
                                            Document Title:
===============
Barracuda Networks MDM - Persistent Mail Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1315


Release Date:
=============
2016-02-04


Vulnerability Laboratory ID (VL-ID):
====================================
1315


Common Vulnerability Scoring System:
====================================
3


Product & Service Introduction:
===============================
Use Barracuda Mobile Device Manager to manage mobile devices from the cloud, and deploy applications and resources to mobile devices. 
The Barracuda Mobile Device Manager Service provides a web interface for the administrator to configure the service, along with and 
the Barracuda Mobile Companion application for end users, to provide complete Bring Your Own Device (BYOD) security and assigned device 
scenarios. Protect and apply secure browsing policies for groups of students, employees, and guests who are using their personal mobile 
devices inside or outside of your network, or manage business or institutionally owned devices within your network.

From here you can easily manage mobile phones and tablets on your network while providing your users the freedom to use their device of choice. 
To get started enrolling devices follow one of the methods listed in the Device Enrollment section below. Please note that in order to enroll 
iOS devices you must first configure an Apple Push Certificate. For additional documentation on the Barracuda MDM service, see the Barracuda TechLibrary.

( Copy of the Homepage: https://techlib.barracuda.com/mdm )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the Barracuda Networks Mobile Device Manager appliance web-application.


Vulnerability Disclosure Timeline:
==================================
2016-02-04:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Barracuda Networks
Product: Mobile Application Manager 2014 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official Barracuda Networks Mobile Device Manager web-application.
The vulnerability allows remote attackers to inject own malicious script codes through the application-side to outgoing barracuda mdm emails.

The vulnerability is located in the `Include Shared Secret` function and the `message body` of the `Mobile Devices > Settings > Enrollment` module.
Local low privileged user accounts can inject own script code as payloads to the Shared Secret input field on top of the module. After the save 
the attacker scrolls down to the `Include Shared Secret` function and the `message body` input. First the attacker injects the same payload to the 
message body and after it he prepares to activate the `Include Shared Secret`. After the activation of the shared secret function the code of the 
input above will be included to the message body context. Now the attacker includes the mail of a barracuda user to the  `Enrollment URL To:`
(/enroll/x5ZFhPxdkf) To: and clicks send to exploit. The malicious context in the mail will be send through the secure form to the receiver 
with the persistent code that executes in the message body. The attack vector of the issue is located on the application-side and the request 
method to inject is POST.

In the request itself is at the end a X-XSS-Protection included that covers the session. In case of the issue the execution takes place outside 
in the mail context but the xss protection mechanism allows to include and save the information ago which allows a local attacker to exploit the bug.

The security risk of the persistent mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) 
count of 3.0. Exploitation of the application-side vulnerability requires a low privileged barracuda mobile device manager account with restricted 
access and low or medium user interaction. Successful exploitation of the vulnerability results in persistent phishing , persistent session hijacking 
and persistent mail context manipulation.


Request Method(s):
				[+] POST

Vulnerable Module(s):
				[+] Mobile Devices > Settings > Enrollment

Vulnerable Function(s):
				[+] Include Shared Secret (top)

Vulnerable Input(s):
				[+] Shared Secret (bottom)
				[+] message body

Affected Module(s):
				[+] Enrollment Email Notification Context (Invite)


Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium 
user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

--- PoC Session Logs [POST] (enrollment/updatesharedsecret) ---
13:28:19.988[727ms][total 727ms] Status: 200[OK]
POST https://mdm.[SERVER].com/enrollment/updatesharedsecret?_=1409830099976 Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[91] Mime Type[text/html]
Request Header:
      Host[mdm.[SERVER].com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[https://mdm.[SERVER].com/enrollment]
      Content-Length[51]
      Cookie[CLOUD_LOCALE=en_US; cloud_session=ksfd3hb8fl4l5cl3jve131r6d7; current_account=5584599; CLOUD_AT=GL-a9ac8a1130e58f01dbb9bbef27b0e446897d1ed5-d7e765f780af7c2d042f557e610f89ec; __utma=72726272.1496886540.1409824732.1409824732.1409824732.1; __utmb=72726272.52.10.1409824732; __utmc=72726272; __utmz=72726272.1409824732.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=lr9asou2hjmtc790upmpmvb0c1]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
POST-Daten:
      is_ajax[1]
      ajax_response_format[json]
      secret[[PERSISTENT INJECTED SCRIPT CODE THROUGH INCLUDE SHARE SECRET FUNCTION]]
Response Header:
      Date[Thu, 04 Sep 2014 11:28:56 GMT]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Vary[Accept-Encoding,User-Agent]
      Content-Encoding[gzip]
      X-Frame-Options[SAMEORIGIN, SAMEORIGIN]
      X-XSS-Protection[1; mode=block]
      Content-Length[91]
      Keep-Alive[timeout=15, max=100]
      Connection[Keep-Alive]
      Content-Type[text/html; charset=utf-8]
-
13:28:20.768[390ms][total 1897ms] Status: 200[OK]
GET https://mdm.[SERVER].com/enrollment Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[6640] Mime Type[text/html]
Request Header:
      Host[mdm.[SERVER].com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Cookie[CLOUD_LOCALE=en_US; cloud_session=ksfd3hb8fl4l5cl3jve131r6d7; current_account=5584599; CLOUD_AT=GL-a9ac8a1130e58f01dbb9bbef27b0e446897d1ed5-d7e765f780af7c2d042f557e610f89ec; __utma=72726272.1496886540.1409824732.1409824732.1409824732.1; __utmb=72726272.52.10.1409824732; __utmc=72726272; __utmz=72726272.1409824732.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=lr9asou2hjmtc790upmpmvb0c1]
      Connection[keep-alive]
      Cache-Control[max-age=0]
Response Header:
      Date[Thu, 04 Sep 2014 11:28:56 GMT]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Vary[Accept-Encoding,User-Agent]
      Content-Encoding[gzip]
      X-Frame-Options[SAMEORIGIN, SAMEORIGIN]
      X-XSS-Protection[1; mode=block]
      Content-Length[6640]
      Keep-Alive[timeout=15, max=99]
      Connection[Keep-Alive]
      Content-Type[text/html; charset=utf-8]
-
13:28:51.774[643ms][total 643ms] Status: 200[OK]
POST https://mdm.[SERVER].com/enrollment/enrollemail?_=1409830131753 Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[108] Mime Type[text/html]
Request Header:
      Host[mdm.[SERVER].com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[https://mdm.[SERVER].com/enrollment]
      Content-Length[201]
      Cookie[CLOUD_LOCALE=en_US; cloud_session=ksfd3hb8fl4l5cl3jve131r6d7; current_account=5584599; CLOUD_AT=GL-a9ac8a1130e58f01dbb9bbef27b0e446897d1ed5-d7e765f780af7c2d042f557e610f89ec; __utma=72726272.1496886540.1409824732.1409824732.1409824732.1; __utmb=72726272.53.10.1409824732; __utmc=72726272; __utmz=72726272.1409824732.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=lr9asou2hjmtc790upmpmvb0c1]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
POST-Daten:
      is_ajax[1]
      ajax_response_format[json]
      email%5Bemail%5D[bkm%40evolution-sec.com]
      email%5Bshow_secret%5D[true]
      email%5Bmessage%5D[Please+follow+the+invitation+link+and+use+the+shared+secret%3A+***+[PERSISTENT INJECTED SCRIPT CODE THROUGH INCLUDE SHARE SECRET FUNCTION]]
Response Header:
      Date[Thu, 04 Sep 2014 11:29:27 GMT]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Vary[Accept-Encoding,User-Agent]
      Content-Encoding[gzip]
      X-Frame-Options[SAMEORIGIN, SAMEORIGIN]
      X-XSS-Protection[1; mode=block]
      Content-Length[108]
      Keep-Alive[timeout=15, max=100]
      Connection[Keep-Alive]
      Content-Type[text/html; charset=utf-8]


Solution - Fix & Patch:
=======================
The issue can be patched by a secure restriction of the vulnerable share secret input on top of the application. Restrict and filter also the message body context.
Parse and encode the included context that runs through the both function thats leads to the execution in the mail body context.

Note: The barracuda networks develoeper team patched the vulnerability during the verification procedure of the issue.


Security Risk:
==============
The security risk of the mail encoding web vulnerability in the enrollment function is estimated as medium. (CVSS 3.0)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2016 | Vulnerability Laboratory [Evolution Security]