Movatterモバイル変換

[0]ホーム
URL:

Home page logo
bugtraq logo

Bugtraqmailing list archives

PreviousBy DateNext
PreviousBy ThreadNext

[SecuriWeb.2005.1] - Barracuda SPAM firewall advisory

From: Francois Harvey <fharvey () securiweb net>
Date: Wed, 31 Aug 2005 22:48:16 -0400
ID :                    2005.1Product :          Barracuda Spam Firewall ApplianceVendor :           Barracuda networksAffected product : firmware <= 3.1.17
Class : Directory Traveral, Remote Execution, PasswordRetrieving
Remote :          yeslocal :               naAuthor :           Francois Harvey <fharvey at securiweb dot net>Published date :   01/09/2005 (Initial Vendor contact 2005-06-14)CVE :               CVE-MAP-NOMATCHSolution :        Install Firmware 3.1.18
Reference URL :http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1
Summary======
A remote "Directory Traversal" and "Remote Execution" vulnerabilityexist in Barracuda Spam Firewall appliance from Barracuda Networks(barracudanetworks.com). In the script "/cgi-bin/img.pl", used to showgraph, the value of the "f" (filename) parameters is not sanitized.
No authentification is required to exploit this remote vulnerability
Other vulnerabilies exist in the advanced utilities section but adminprivilege is needed.
Affected product   * Tested on Barracuda Spam Firewall firmware v.3.1.16 / v.3.1.17Note: on the spyware edition img.pl is present but not executable
Note: on firmware 3.3.* the img.pl is img.cgi and they fixed thevulnerability
Impact=====   * Arbitrary file reading (as uid of the webserver)   * Arbitrary file execution (as uid of the webserver)   * Full reading of the system configuration   * Audit of the Barracuda Spam firewallDescription========Vulnerability #1---------------------------
As see below the img.pl script try to unlink the file after the reading.The webserver user (nobody) should not have a lot of delete permissionbut you have been warned.
In /cgi-bin/img.pl scriptsmy $file_img="/tmp/".CGI::param('f');open (IMG, $file_img) or die "Could not open image because: $!\n";...unlink ($file_img);
The "magic" perl open function can also be used to execute commands. Ifthe string finish by | the script will execute the command and pipe theoutput to the IMG file descriptor.
file retreivial : f=../etc/passwdremote execution : f=../bin/ls|
This vulnerability can be used to extract the admin password (see proofof concept)
Vulnerability #2---------------------------
In the utility section, it's possible to call some process totroubleshoot the Barracuda. In the command list we can use Dig andTcpdump ( /cgi-bin/dig_device.cgi and /cgi-bin/tcpdump_device.cgi). Theinput string is validate with a list of valid char but both dig andtcpdump allow filesystem operation with standard parameters.
Dig :  The -f option makes dig  operate in batch mode by  reading  a  list  of  lookup  requests to process from the file filename.Tcpdump :  -r     Read  packets  from file (which was created with the -w option).             Standard input is used if file is ``-''.  -w     Write  the  raw packets to file rather than parsing and printing
them out. They can later be printed with the -r option.Stan-
             dard output is used if file is ``-''.
As the use of some character is prohibited, we can only interact withthe current directory.
Using -f <some_file_in_the_cgi-bin-directory> in the dig edit box allowthe partial reading of source code. (grep DiG to reconstruct the code)
Using -r in tcpdump edit box allow only a reading of a valid pcap filebut we can know if a file exist.
Using -w in tcpdump edit box should overwrite file in the cgi-bindirectory. (not tested)
Proof of concept===========http://<BarracudaHost>:8000/cgi-bin/img.pl?f=../home/emailswitch/code/config/current.conf   * The config is in /home/emailswitch/code/config/current.conf   * The config key for the password is system_password   * The password is in clear text (!!)
   * The IP ACL for admin authentification is the config key :httpd_acl_ip_admin_address/httpd_acl_ip_admin_netmask   * it's possible to desactivate for ~5 minutes the IP ACL (hint :look for the shell using by the user sa)
Solution=====Firmware update 3.1.18 fix this issueAuthor=====Francois Harvey <fharvey at securiweb dot net>Security AnalystSecuriWeb inc.www.securiweb.netHistory=====2005-06-14 : Initial vendor contact2005-06-14 : Initial feedback from Barracuda Networks2005-07-* : Firmware 3.1.18 resolved this issue2005-08-17 : Confirmation to disclose the vulnerability2005-09-01 : Public disclosure
PreviousBy DateNext
PreviousBy ThreadNext
Current thread:




[8]ページ先頭


©2009-2026 Movatter.jp