[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Barracuda Networks Backup Appliance Application - Persistent Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-02-26 23:23:42
Message-ID: 530E777E.3020202 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Barracuda Networks Backup Appliance Application - Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=784
BARRACUDA NETWORK SECURITY ID: BNSEC-885
Release Date:
=============
2014-02-26
Vulnerability Laboratory ID (VL-ID):
====================================
784
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
Barracuda Backup Service is a complete and affordable data backup solution. The \
Barracuda Backup Server provides a full local data backup and is combined with a \
storage subscription to replicate data to two offsite locations. This approach \
provides the best of both worlds - onsite backups for fast restore times and secure, \
offsite storage for disaster recovery. Block level deduplication is applied inline \
to reduce traditional backup storage requirements by 20 to 50 times while also \
reducing backup windows and bandwidth requirements. Cloud Storage with Deduplication
Barracuda Backup Subscription plans provide diverse offsite storage at affordable \
monthly fees that scale to meet increasing data requirements.
* Secure backup to two geo-separate data centers
* Deduplicated efficient backup storage
* Redundant disk-based storage
* Best-of-breed data retention policies
* Web interface multi-location management
* Restore by Web, FTP and Windows software
(Copy of the Vendor Homepage: \
http://www.barracudanetworks.com/ns/products/backup_overview.php)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent web vulnerability \
in the official Barracuda Networks Backup appliance web-application.
Vulnerability Disclosure Timeline:
==================================
2013-12-02: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-12-04: Vendor Notification (Barracuda Networks Security Team)
2013-12-08: Vendor Response/Feedback (Barracuda Networks Security Team)
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team)
2014-02-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent web vulnerability has been discovered in the official Barracuda Networks \
Backup appliance web-application. The bugs allows remote attackers to inject own \
malicious script code on the application side (persistent) of the service.
The persistent vulnerability is located in the `remote_host` value of the `Extern \
Backup` module. Remote attackers are able to inject via POST method request own \
malcious script codes as remote_host. The result is the persistent (application-side) \
execution out in the vulnerable remote_host list module. The attack vector is \
persistent on the application-side and the request method to inject is POST. The \
security risk of the persistent input validation web vulnerability is estimated as \
medium with a cvss (common vulnerability scoring system) count of 3.5(+)|(-)3.6.
Exploitation of the persistent web vulnerability requires low user interaction and a \
low privileged web-application appliance user account. Successful exploitation of \
the vulnerability results in persistent session hijacking (admin/auditor), persistent \
phishing (application-side), persistent external redirect and persistent \
manipulation of affected or connected vulnerable modules.
Request Method(s):
[+] POST
Vulnerable Section(s):
[+] Jetz Sichern
Vulnerable Module(s):
[+] Extern Backup > Ziel hinzufügen (Add Target) - Listing
Vulnerable Parameter(s):
[+] remote_host (Exception-Handling) - Error (Invalid)
Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by remote attacker \
with low privileged application user account and low required user interaction. For \
demonstration or reproduce ...
Review: Jetz Sichern > Extern Backup > Ziel hinzufügen > [remote_host] > Listing
<div class="fieldGroupInfo">You can optionally choose a Backup Server from your \
account to load the required info automatically, or enter it manually.</div>
<div class="fieldGroupError"></div>
</div>
<div class="replication_wrapper">
<div class="fieldGroup statusError"><label \
class="ultraform_label">Ziel-IP-Adresse:</label> <span><div class="alba-placeholder" \
style="position: absolute; background: none repeat scroll 0% 0% \
transparent;
border-color: transparent; border-style: solid; height: 17px; width: 241px; padding: \
2px 3px; font-size: 13px; font-family: Arial,'Liberation Sans',FreeSans,sans-serif; \
font-weight: 400; font-style: normal; letter-spacing: normal; \
line-height: 16px;
text-align: start; text-decoration: none; border-width: 1px; vertical-align: middle; \
cursor: text; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; \
-moz-user-select: none; color: rgba(0, 0, 0, 0.35); top: 79px; left: 268px; display: \
none;"> Ziel-Hostname oder IP-Adresse</div><input _placeholder="Ziel-Hostname oder \
IP-Adresse" size="35" name="remote_host" value="">"<iframe \
src=a>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!];) <" content_source="" \
id="remote_host" type="text"> </span><span class="fieldGroupStatus"> </span>
<div class="fieldGroupInfo">Geben Sie die IP-Adresse oder den Hostnamen des \
Ziel-Backup-Servers ein. Die Adresse muss von diesem Backup Server aus erreichbar \
sein. Alternative Portnummern können angegeben werden. Beispiel: \
192.168.1.2:5001</div> <div class="fieldGroupError">Sie haben keine Erlaubnis zum \
Hinzufügen oder Editieren von Ziel-Backup-Servern.</div> </div>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the remote_host \
value in the `Extern Backup` module of the `Ziel hinzufügen` function. Restrict the \
remote_host input fields and filter the POST method request after the regular mask \
validation to prevent script code injection attacks.
Security Risk:
==============
The security risk of the persistent web vulnerability is estimated as medium because \
of the location in the remote_host exception-handling.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri \
(bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic