[NEWS] Barracuda Spam Firewall Arbitrary File Disclosure



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Barracuda Spam Firewall Arbitrary File Disclosure
------------------------------------------------------------------------


SUMMARY

<http://www.barracudanetworks.com> Barracuda Spam Firewalls are
vulnerable to arbitrary file disclosure due to improper parameter
sanitation.

DETAILS

Vulnerable Systems:
* Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053

Immune Systems:
* Barracuda Spam Firewalls version 3.3.0.54

The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 are
vulnerable to arbitrary file disclosure via the preview_email.cgi script.

The /cgi-bin/preview_email.cgi script is designed to retrieve a message
from the local message database on the Barracuda Spam Firewall. However,
the "file" parameter which is passed via GET is not properly sanitized to
restrict the file retrieval to the message database directories. The
script looks for "/mail/mlog" in the file parameter but does not take into
account directory transversal arguments such as ".." The result is that
any file that is accessible to the web server user is accessible from the
web interface. The script does require a valid user to be logged in to
perform this attack, however using the "Barracuda Hardcoded Password
Vulnerability" (NNL-20060801-01) guest password vulnerability this
restriction can easily be overcome.

This particular problem is amplified by the fact that it is possible to
download the full configuration file for the barracuda. The configuration
file is periodically backed-up into the /tmp directory as
"/tmp/backup/periodic_config.txt.tmp"

Message confidentiality is compromised by the fact that an attacker who is
able to view the message log screen (which can be done via the guest
password vulnerability) can easily view any message on the system. The
message logs are stored as /mail/mlog/X/Y/email_address/msgID where X is
the first character of email_address, Y is the second character of
email_address, email_address is the recipient's email address and msgID is
the message ID assigned to the message in question. So for example if jon
AT smith DOT com received a message with messageID 1234, any user could
view the message by entering /mail/mlog/j/o/jon AT smith DOT com/1234

Proof of Concept:
https://<deviceIP>/cgi-bin/preview_email.cgi?
file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp

Recommendations:
* Never allow your barracuda web interface to be accessible from untrusted
networks (especially the Internet)

* Upgrade to version 3.3.0.54 or later

Vendor Contact:
30 May 2006 - Initial Vendor Contact
24 June 2006 - Vendor replies with prospect of fix
17 July 2006 - NNL request status update, no reply
01 Aug 2006 - NNL releases vulnerability report, notifies vendor of
release


ADDITIONAL INFORMATION

The information has been provided by <mailto:gssincla@xxxxxxxxxxxxxxx>
Greg Sinclair.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NEWS] IP3 NetAccess Arbitrary File Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IP3 NetAccess Arbitrary File Disclosure ... An arbitrary file disclosure vulnerability in IP3 NetAccess leads to full ... all NetAccess devices with a firmware ...
    (Securiteam)
  • Barracuda Vulnerability: Arbitrary File Disclosure [NNL-20060801-02]
    ... Title: Barracuda Arbitrary File Disclosure ... The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 are vulnerable to arbitrary file disclosure via the preview_email.cgi script. ... 30 May 2006 - Initial Vendor Contact ... 17 July 2006 - NNL request status update, ...
    (Bugtraq)
  • [NEWS] SAP Internet Transaction Server Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... - Cross Site Scripting/Cookie Theft ... It might be possible that "~template" is an undocumented or forgotten ... Arbitrary file disclosure: ...
    (Securiteam)