Barracuda Control Center 620 - Multiple Web Vulnerabilities

2011-12-21T00:00:00
ID 1337DAY-ID-17292
Type zdt
Reporter Benjamin K.M.
Modified 2011-12-21T00:00:00

Description

Exploit for jsp platform in category web applications

                                        
                                            Introduction:
=============
Barracuda Networks - Worldwide leader in email and Web security.
Control Center Application of Barracuda Networks
 
(Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/)
 
 
Abstract:
=========
Vulnerability-lab Team discovered multiple Web  Vulnerabilities on Barracuda Control Center 620 appliance/application.
 
 
Report-Timeline:
================
2011-06-03: Vendor Notification
2011-07-12: Vendor Response/Feedback
2011-11-26: Vendor Fix/Patch
2011-12-21: Public or Non-Public Disclosure
 
 
Status:
========
Published
 
 
Affected Products:
==================
 
Exploitation-Technique:
=======================
Remote
 
 
Severity:
=========
Medium
 
 
Details:
========
1.1
Multiple persistent Input Validation vulnerabilities are detected on Barracudas Control Center 620. Local low privileged user account can
implement/inject malicious persistent script code. When exploited by an authenticated user, the identified vulnerabilities
can lead to information disclosure, access to intranet available servers, manipulated persistent content.
 
Vulnerable Module(s): (Persistent)
                                        [+] authdblookup -input
 
1.2
Multiple non-persistent Input Validation vulnerabilities are detected on Barracudas Control Center 620 appliance.
Attackers can form malicious client-side requests to hijack customer/admin sessions.
Successful exploitation requires user inter action & can lead to information disclosure, session
hijacking and access to servers in the intranet.
  
 
Proof of Concept:
=================
The vulnerabilities can be exploited by low privileged user accounts or remote attacker via high required user inter action.
For demonstration or reproduce ...
 
1.1 Persistent
https://127.0.0.1:8080/bcc/[email protected]&selected-node=
 
Manually reproduce ...
1. Login
2. Switch to the vulnerable authdblookup-input.jsp  add mask
3. Include your own malicious persistent script code (java-script or html) & save the input
4. The stored script code will be executed in main-bar as stable output result (persistent)
 
1.2  Non-Persistent
https://127.0.0.1:8080/bcc/editdevices.jsp?device-type=spyware&selected-node=1&containerid=[IVE]
https://127.0.0.1:8080/bcc/main.jsp?device-type=[IVE]
 
 
Solution:
=========
Barracuda implemented after the issues 2011 a validation mask to filter malicious & disallowed inputs.
The barracuda firmware of the filter has been update multiple times.
 
 
Risk:
=====
1.1
The security risk of the discovered persistent vulnerabilities are estimated as medium(+) because of low required user inter action.
 
1.2
The security risk of the discovered non-persistent vulnerabilities are estimated as low because of high required user inter action.



#  0day.today [2018-01-02]  #