Barracuda SSL VPN 680Vx 2.3.3.193 Multiple Script Injection Vulnerabilities

2013-07-01T00:00:00
ID ZSL-2013-5147
Type zeroscience
Reporter Gjoko Krstic
Modified 2013-07-01T00:00:00

Description

Title: Barracuda SSL VPN 680Vx 2.3.3.193 Multiple Script Injection Vulnerabilities
Advisory ID: ZSL-2013-5147
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 01.07.2013

Summary

The Barracuda SSL VPN is a powerful plug-and-play appliance purpose-built to provide remote users with secure access to internal network resources.

Description

Barracuda SSL VPN suffers from multiple stored XSS vulnerabilities when parsing user input to several parameters via POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

Vendor

Barracuda Networks, Inc. - <https://www.barracuda.com>

Affected Version

2.3.3.193, Model: V680

Tested On

Linux 2.4.x, Jetty Web Server

Vendor Status

[05.03.2013] Vulnerabilities discovered.
[16.03.2013] Contact with the vendor.
[17.03.2013] Vendor replies.
[19.03.2013] Working with the vendor.
[28.03.2013] Vendor confirms issues, track BNSEC-1239.
[15.04.2013] Asked vendor for status update.
[17.04.2013] Vendor replies.
[18.04.2013] Confirming that the issues are still present on the demo test sites. (v2.3.3.193)
[07.05.2013] Vendor informs that the version 2.3.3.216 since 13.03.2013 is patched from these issues.
[08.05.2013] Coordinating with the vendor.
[08.06.2013] Vendor confirms that as of firmware version 2.3.3.216 the issues have been resolved.
[01.07.2013] Coordinated public security advisory released.

PoC

barracuda_sslvpn_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://updates.cudasvc.com/cgi-bin/view_release_notes.cgi?type=bvsware&version=2.3.3.216
[2] <http://barracudalabs.com/?page_id=3456>
[3] <http://barracudalabs.com/?page_id=3458>
[4] <http://www.exploit-db.com/exploits/26527/>
[5] <http://cxsecurity.com/issue/WLB-2013070014>
[6] <http://1337day.com/exploit/20959>
[7] <http://packetstormsecurity.com/files/122245>
[8] <http://www.osvdb.org/show/osvdb/94727>
[9] <http://www.osvdb.org/show/osvdb/94728>
[10] <http://www.osvdb.org/show/osvdb/94729>
[11] <http://www.osvdb.org/show/osvdb/94730>
[12] <http://www.osvdb.org/show/osvdb/94731>
[13] <http://secunia.com/advisories/53982/>
[14] <http://www.securityfocus.com/bid/60906>
[15] <http://xforce.iss.net/xforce/xfdb/85419>
[16] <http://securitytracker.com/id/1028736>
[17] <http://www.scip.ch/en/?vuldb.9310>
[18] <http://www.scip.ch/en/?vuldb.9311>
[19] <http://www.scip.ch/en/?vuldb.9312>
[20] <http://www.scip.ch/en/?vuldb.9313>
[21] <http://www.scip.ch/en/?vuldb.9314>
[22] <http://www.securiteam.com/securitynews/6M0372A8KA.html>
[23] <http://www.securiteam.com/securitynews/6J037158UM.html>

Changelog

[01.07.2013] - Initial release
[02.07.2013] - Added reference [4], [5], [6], [7], [8], [9], [10], [11] and [12]
[03.07.2013] - Added reference [13] and [14]
[07.07.2013] - Added reference [15] and [16]
[19.07.2013] - Added reference [17], [18], [19], [20] and [21]
[31.10.2013] - Added reference [22]
[15.11.2013] - Added reference [23]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;