[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Barracuda SSL VPN 680 2.2.2.203 - Redirect Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-05-29 19:59:31
Message-ID: 51A65E23.4000306 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Barracuda SSL VPN 680 2.2.2.203 - Redirect Vulnerability
Date:
=====
2013-05-25
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=755
Barracuda Networks Security ID (BNSEC): 727
VL-ID:
=====
755
Common Vulnerability Scoring System:
====================================
1.3
Introduction:
=============
The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, \
clientless remote access to internal network resources from any Web browser. Designed for \
remote employees and road warriors, the Barracuda SSL VPN provides comprehensive control over \
file systems and Web-based applications requiring external access. The Barracuda SSL VPN \
integrates with third-party authentication mechanisms to control user access levels and \
provides single sign-on.
Barracuda SSL VPN
* Enables access to corporate intranets, file systems or other Web-based applications
* Tracks resource access through auditing and reporting facilities
* Scans uploaded files for viruses and malware
* Leverages multi-factor, layered authentication mechanisms, including RSA SecurID and \
VASCO tokens
* Integrates with existing Active Directory and LDAP directories
* Utilizes policies for granular access control framework
* Supports any Web browser on PC or Mac
(Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/sslvpn.php)
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a redirect vulnerability in the official \
Barracuda Networks SSL VPN 680 v2.2.2.203.
Report-Timeline:
================
2012-11-11: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-11-12: Vendor Notification (Barracuda Networks - Security Incident Team)
2012-11-19: Vendor Response/Feedback (Barracuda Networks - Dave Farrow)
2013-03-07: Vendor Fix/Patch - (Update to version 2.3.3.193)
2012-05-27: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Barracuda Networks
Product: SSL VPN 680 2.2.2.203
Exploitation-Technique:
=======================
Remote
Severity:
=========
Low
Details:
========
A remote redirection (external) vulnerability is detected in the Barracuda SSL VPN 680 \
v2.2.2.203 (Vx) Web Application Appliance. The bug allows remote attackers to prepare links to \
client side external redirects with malware, phishing websites or malicious web context.
The vulnerability is located in the resourceId parameter request when processing to load an \
internal returnTo file redirect.
The vulnerability can be exploited by remote attackers without privilege application user \
account and with low user interaction. Successful exploitation of the vulnerability result in \
an unauthorized client side redirect to malicious external websites or servers.
Vulnerable Module(s):
[+] launchApplication.do [resourceId]
Vulnerable Parameter(s):
[+] returnTo
Proof of Concept:
=================
The vulnerability can be exploited by remote attacker without privileged application user \
account but with medium or high required user inter action. For demonstration or reproduce ...
1.1
The first url shows the standard request via GET request
https://sslvpn.127.0.0.1:8080/launchApplication.do?resourceId=1&policy=1&returnTo=%2FshowApplicationShortcuts.do
1.2
The secound url shows the manipulated remote context via GET request
https://sslvpn.127.0.0.1:8080/launchApplication.do?resourceId=1&policy=1&returnTo=http://www.vulnerability-lab.com
https://sslvpn.[SERVER]/[FILE].do?[RES+ID]=x&[POLICY]=x&returnTo=[EXTERNAL TARGET]
Solution:
=========
The vulnerability can be patched by allowing only local file requests when processing to load \
the vulnerable returnTo parameter via GET.
2013-03-07: Vendor Fix/Patch - 2.3.3.193
Risk:
=====
The security risk of the redirection vulnerability is estimated as low(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Chokri Ben Achour \
(meister@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic