'[Full-disclosure] Barracuda SSL VPN 680 2.2.2.203 - Redirect Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Barracuda SSL VPN 680 2.2.2.203 - Redirect Vulnerability
From:       Vulnerability Lab <research () vulnerability-lab ! com>
Date:       2013-05-29 19:59:31
Message-ID: 51A65E23.4000306 () vulnerability-lab ! com
[Download RAW message or body]

Title:
======
Barracuda SSL VPN 680 2.2.2.203 - Redirect Vulnerability


Date:
=====
2013-05-25


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=755

Barracuda Networks Security ID (BNSEC): 727


VL-ID:
=====
755


Common Vulnerability Scoring System:
====================================
1.3


Introduction:
=============
The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, \
clientless remote  access to internal network resources from any Web browser. Designed for \
remote employees and road warriors,  the Barracuda SSL VPN provides comprehensive control over \
file systems and Web-based applications requiring  external access. The Barracuda SSL VPN \
integrates with third-party authentication mechanisms to control user  access levels and \
provides single sign-on. 

Barracuda SSL VPN 	

    * Enables access to corporate intranets, file systems or other Web-based applications
    * Tracks resource access through auditing and reporting facilities
    * Scans uploaded files for viruses and malware
    * Leverages multi-factor, layered authentication mechanisms, including RSA SecurID and \
                VASCO tokens
    * Integrates with existing Active Directory and LDAP directories
    * Utilizes policies for granular access control framework
    * Supports any Web browser on PC or Mac

(Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/sslvpn.php)


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a redirect vulnerability in the official \
Barracuda Networks SSL VPN 680 v2.2.2.203.


Report-Timeline:
================
2012-11-11:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-11-12:	Vendor Notification (Barracuda Networks - Security Incident Team)
2012-11-19:	Vendor Response/Feedback (Barracuda Networks - Dave Farrow)
2013-03-07:	Vendor Fix/Patch - (Update to version 2.3.3.193)
2012-05-27:	Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Barracuda Networks
Product: SSL VPN 680 2.2.2.203


Exploitation-Technique:
=======================
Remote


Severity:
=========
Low


Details:
========
A remote redirection (external) vulnerability is detected in the Barracuda SSL VPN 680 \
v2.2.2.203 (Vx) Web Application Appliance. The bug allows remote attackers to prepare links to \
client side external redirects with malware, phishing websites or malicious  web context. 

The vulnerability is located in the resourceId parameter request when processing to load an \
internal returnTo file redirect.

The vulnerability can be exploited by remote attackers without privilege application user \
account and with low user interaction. Successful exploitation of the vulnerability result in \
an unauthorized client side redirect to malicious external websites or servers. 

Vulnerable Module(s):
				[+] launchApplication.do [resourceId]

Vulnerable Parameter(s):
				[+] returnTo


Proof of Concept:
=================
The vulnerability can be exploited by remote attacker without privileged application user \
account but with medium or high required user inter action. For demonstration or reproduce ...

1.1
The first url shows the standard request via GET request
https://sslvpn.127.0.0.1:8080/launchApplication.do?resourceId=1&policy=1&returnTo=%2FshowApplicationShortcuts.do


1.2
The secound url shows the manipulated remote context via GET request
https://sslvpn.127.0.0.1:8080/launchApplication.do?resourceId=1&policy=1&returnTo=http://www.vulnerability-lab.com


https://sslvpn.[SERVER]/[FILE].do?[RES+ID]=x&[POLICY]=x&returnTo=[EXTERNAL TARGET]


Solution:
=========
The vulnerability can be patched by allowing only local file requests when processing to load \
the vulnerable returnTo parameter via GET.

2013-03-07:	Vendor Fix/Patch - 2.3.3.193


Risk:
=====
The security risk of the redirection vulnerability is estimated as low(+).


Credits:
========
Vulnerability Laboratory [Research Team]  -    Chokri Ben Achour \
(meister@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties,  either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business  profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some  states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation  may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases  or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - \
                www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - \
                research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - \
                news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - \
                youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - \
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory.  Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other  media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and  other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed),  modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory




-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic