[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Barracuda Networks Firewall 6.1.2 #36 - Filter Bypass & Exception Handling Vulnerability + PoC
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-07-24 13:34:06
Message-ID: 53D10B4E.5090207 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Barracuda Networks Firewall 6.1.2 #36 - Filter Bypass & Exception Handling Vulnerability + PoC \
Video
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1102
Barracuda Networks Security ID (BNSEC): BNSEC-2398
https://www.barracuda.com/support/knowledgebase/501600000013m1P
Video: http://www.vulnerability-lab.com/get_content.php?id=1210
Vulnerability Magazine: \
http://vulnerability-db.com/magazine/articles/2014/07/23/barracuda-networks-patched-bnsec-2398-bulletin-firewall-appliance-application
View Video: http://www.youtube.com/watch?v=-cTO7ork6Hg
Solution #00006613
BNSEC-02398: Authenticated non- & persistent validation vulnerability in Barracuda Firewall \
v6.1.2
Release Date:
=============
2014-07-23
Vulnerability Laboratory ID (VL-ID):
====================================
1102
Common Vulnerability Scoring System:
====================================
5.7
Product & Service Introduction:
===============================
The Barracuda Firewall goes beyond traditional network firewalls and UTMs by providing powerful \
network security, granular layer 7 application controls, user awareness and secure VPN \
connectivity combined with cloud-based malware protection, content filtering and reporting. It \
alleviates the performance bottlenecks in Unified Threat Management (UTM) appliances through \
intelligent integration of on-premise and cloud-based technologies. While the powerful on- \
premises appliance is optimized for tasks like packet forwarding and routing, Intrusion \
Prevention (IPS), DNS/DHCP services and site-to-site connectivity; CPU intensive tasks like \
virus scanning, content filtering and usage reporting benefit from the scalable performance \
and elasticity of the cloud.
(Copy o the Vendor Homepage: https://www.barracuda.com/products/firewall )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Team discovered a filter bypass and a persistent vulnerability in \
Barracuda Networks Firewall Appliance v6.1.0.016 Application.
Vulnerability Disclosure Timeline:
==================================
2013-09-26: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-09-27: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)
2013-09-30: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)
2014-06-30: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow]
2014-07-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: Firewall Appliance Web-Application 6.1.0.016 - x100 x200 x300 x400 x500 x600 & Vx
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An input validation web vulnerability is detected in the official Barracuda Networks Firewall \
Appliance Web-Application. The vulnerability allows an attacker (remote) to implement/inject \
own malicious persistent script codes (application side).
The vulnerability is located in the `VPN > Certificates` module when processing to request via \
POST to GET method manipulated `cert_error` values through the secure appliance application \
exception-handling. The script code execution occurs in the main header on top of the error \
message (exception-handling). The issue impact a persistent and non-persistent attack vector \
because of the values can be exploited in the regular service GET method request in the referer \
on the client-side. The second technique is to exploit by inject via POST method request to \
provoke an error (exception) with specific manipulated context.
The attacker moves to the certificates area and uploads even in the restricted mode 2 pem \
certs, he tampers the request and exchange the upload path but drops also an invalid value to \
the name. The application will respond via GET and drops an unknown error message in the \
exception-handling of the module. The attacker is able to change the referer and includes his \
own code to the affected parameters. The result is a client-side execution in the first \
exception message body context.
Now the links in the main website will change to the error link with referer through \
application-side. The attacker is now able to click the link or request the url to execute the \
code inside of the exception-handling contents`>Error message with persistent attack vector.
The security risk of the persistent and non-persistent input validation vulnerability and \
fitler bypass is estimated as medium with a cvss (common vulnerability scoring system) count \
of 5.7. Exploitation of the persistent web vulnerability requires low user interaction and a \
local low privileged (restricted) web-application account. Successful exploitation of the \
vulnerability results in application-side session hijacking (customers), account theft via \
persistent web attacks, persistent phishing, persistent external redirects and persistent \
manipulation of affected or connected module context.
Request Method(s):
[+] POST & GET
Vulnerable Module(s):
[+] VPN > Certificates
Vulnerable Parameter(s):
[+] cert_error (contents:error)
Affected Module(s):
[+] Exception Handling - Error Message
Proof of Concept (PoC):
=======================
The input validation vulnerability in the exception-handling can be exploited by remote \
attackers with low privileged web-application user account and low user interaction. For \
security demonstration or to reproduce the vulnerability follow the provided steps and \
information below to continue.
1. You need to request the regular module ...
https://firewall.localhost:8080/cgi-bin/index.cgi?&et=1380384291&locale=en_US&encrypt_password=&user=guest&primary_tab=VPN&secondary_tab=certificates&
2. Provoke an error inside of the regular protected exception-handling via upload pem:
https://firewall.localhost:8080/cgi-bin/index.cgi?&et=1380384291&locale=en_US&encrypt_password=& \
user=guest&primary_tab=VPN&secondary_tab=certificates&cert_error=Unknown%20operation#key0
3. After the redirect with the url to the error happened the attacker is able to change the \
exception input variable to execute own codes \
https://firewall.localhost:8080/cgi-bin/index.cgi?&et=1380384291&locale=en_US&encrypt_password=& \
user=guest&primary_tab=VPN&secondary_tab=certificates&cert_error=%3E%22%3Ciframe%20src=b%3E
PoC: Exception Handling - Error Message
<tr><td><table id="status_screen" class="status_screen"><tbody><tr><td><center><table \
class="status_module" cellpadding="0" cellspacing="0"><tbody><tr><td><div id="error"><b \
class="outlinetop"><b class="outline1"></b> <b class="outline2"></b><b class="outline3"></b><b \
class="outline4"></b></b><div id="contents">Error: >"<[MALICIOUS INJECTED SCRIPT \
CODE!])"><<br> </div><b class="outlinebottom"><b class="outline4"></b><b \
class="outline3"></b><b class="outline2"></b> <b \
class="outline1"></b></b></div></td></tr></table></center></td></tr></table></td></tr><tr \
style="background-color:#D9F5FF;"> <td class="config_screen" valign="top" height="400" \
width="100%" ><table summary="Body" border="0" width="100%" ><tr ><td> <table width=100% \
height=100% style="padding:2px" ><tr><td height=100%> <table cellspacing=0 cellpadding=0 \
class=outlined> <tr>
<td class='tl'></td>
<td class='tm'></td>
<td class='tr'></td>
</tr>
Reference(s):
../Barracuda Firewall Certificates - provoke unknown exception.htm
../Barracuda Firewall Certificates.htm
../dom1.txt
../poc.txt
../poc-session-log.txt
Picture(s):
../1.png
../2.png
../3.png
Solution - Fix & Patch:
=======================
The remote web vulnerability can be patched by a secure parse and encode of the error message \
referer and exception-handling message body context inside of the firewall certificate error \
exception-handling. Restrict the certificate error input but also the certificate name value \
itself. Prepare a more secure invalid context exception without redisplay of the wrong encoded \
vpn cert inputs.
Barracuda Networks Appliance: Advanced >Firmware Updates Page
https://www.barracuda.com/support/knowledgebase/501600000013m1P
Security Risk:
==============
The security risk of the persistent and non-persistent input validation web vulnerability with \
filter bypass is estimated as high because of the location in the secure application \
exception-handling.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic