Twenty Year Anniversary

Barracuda_Evil.txt

Barracuda_Evil.txt
Posted Dec 30, 2004
Authored by Ben Lentz

Short white paper discussing some questionable circumstances surrounding the Barracuda Spam Firewall appliances.

tags | paper
MD5 | 22e306314aff01e51ae946c5cbdafa36

Barracuda_Evil.txt

Change Mirror Download
Barracuda Spam Firewall
This device, sold by Barracuda Networks, is an appliance meant to plug in and
begin filtering SPAM from your incoming SMTP. It features a decent web
interface and some nice features.

However, there are a few pretty major implications that anyone evaluating or
currently using one of these devices should be aware of:

1. I believe this device to be in violation of the GPL.
Under the hood, this appliance is an AMD-based Lintel box, running Mandrake
9.1. Among several other GPL softwares on the machine, Barracuda makes no
mention of the GPL nor does it provide source code on it's site (Remember
Linksys?) Please, correct me if I'm wrong. I'm no expert on the GPL, but I'm
pretty sure this is a no-no.

2. Barracuda Networks will not provide you the passwords of any shell accounts
on the system, yet will maintain this account information internally.
I wouldn't trust everyone at Microsoft to have the only Administrator account
to my Exchange server, so why would I trust Barracuda Networks to have the
only root password to my SF Appliance? Your guess is as good as mine.

3. Although the remote administration interface (ssh) **can** be
disabled, it's enabled by default. They've left an iptables nat table in place that allows
one of their IP addresses to port forward STMP (TCP25) to SSH (TCP22) (The
other IP nats SMTP to TCP8000, where your Web Interface lives). Anyone with
access to the host located at 205.158.110.61 can ssh to your Barracuda
Appliance at any time... you do not have to initiate anything if you've exposed
SMTP on the Internet for your MX (as is the recommended deployment method).

3a. Another feature, beneath Advanced, Troubleshooting, and called Establish
Connection To Barracuda Central, makes a reverse SSH tunnel to
support01.barracudanetworks.com... from there, anyone at Barracuda Networks
can SSH back to your box, even if you have inbound SSH (or SMTP) firewalled off.
Because the connection is in reverse, a typical SPI (Stateful) firewall will allow
traffic back in!

To learn more about this, notice that this "feature" is susceptible to DNS
poisoning... all you have to do is point the appliance at a DNS server that
will return the IP address of an SSH server under your control when it goes
to look up support01.barracudanetworks.com... you'll see the box
authenticate as redir@support01.barracudanetworks.com using a public key
printed in the web interface (stored in ~/.ssh/authorized_keys).

4. Any body who knows anything about firewalling should be major pissed about this,
as their recommended deployment is to have TCP25 exposed to the Internet, for the
purpose of MXing... little do folks know that by doing this, you leave your
web interface and ssh shells (for which you do not have the password) open to
Barracuda Networks, for access whenever they please (see #3).

5. The appliance also sports a pair of nice features: Single Sign-on and
Exchange Accelerator. HOWEVER! If anyone at Barracuda Networks can shell into
your appliance at any time, there's nothing preventing them from pulling out
all your LDAP data and/or your entire Active Directory/Exchange LDAP. I don't
trust everyone who works at Barracuda Networks, do you? Just imagine your entire
Global Address List queried by some disgruntled employee and sold to a porn
advertiser (see #4).

6. After reviewing the Barracuda Networks forum, I've noticed that many people
are asking for some pretty basic features, like static-routes, FTP access, and
shell access. Currently the only way to get static-routes enabled is to have
support do it. FTP is currently a requested feature, but not available. And
support will not give out any shell account information.

As a sysadmin, I find myself conflicted with all this information. On one
hand, I like the appliance, and would recommend it for what it appears to do
well: filtering spam. The box uses a clever mix of perl, MySQL, spamassassin,
and apache, to do it's job. And while I'm all for seeing the furthering of
Linux-based solutions in the IT industry, I can't help but see several
major problems with the device that need to be made well-known.

The fact that I can't get root, the hiding of the internal workings, potential
violations of the GPL, and the creepiness of the level of access tech support
has to the box motivated me to hack it into fish sticks.

Buying this box feels like buying a car with a LINUX bumper sticker that has
the hood padlocked... and if I need the oil changed, there's only one shop in
the whole world that knows the combination. This is how Barracuda sells Instant
Replacement warrantees.

I can only recommend that users and evaluators of the Barracuda Spam Firewall
not remain ignorant! Educate yourself about the inner workings. Anyone
concerned with any of these accusations need to continue on and see for themselves.

TESTING THE PORT 25 "SHELL" NAT TABLE REDIRECTION
1. Change the IP of the Barracuda device to 205.158.110.1, with a netmask of
255.255.255.0
2. Connect the appliance (via ethernet) to another PC addressed at 205.158.110.61
3. From the 205.158.110.61 PC, ssh:
ssh admin@205.158.110.1 -p 25
4. Witness the prompt for a ssh (!) password, despite the fact you've
theoretically connected to the SMTP TCP port.

Now, to their credit, the Enable Remote Support: No option in the web
interface really does work: it firewalls off all local requests for the ssh
server. The problem is that none of this stuff is explained in any of the
documentation I've seen so far, and I think if this stuff was better known, there
would be need for concern. Perhaps this is just all paranoia?

ACQUIRING A ROOT SHELL ON YOUR BARRACUDA DEVICE - WITHOUT OPENING THE CASE
Note: I was able to use the following well-known root password recovery method
for gaining a supposedly impossible root shell to the appliance. These
instructions are based on a Spam Firewall 300 device, so your mileage may
vary.

Because the default LILO timeout is "5" (meaning 5/10 of a second) you need to
have very quick and accurate fingers to do this. If you slip up and wait more
that half a second between key presses, LILO will timeout and not boot that
string that you want.

If you kicked ass at Mortal Kombat, you'll have no problem here. Everyone
else may need to reboot a few times to get it right.

1. Connect a VGA monitor and PS/2 keyboard to the appliance.
2. Reboot the unit with Ctrl+Alt+Delete.
3. Wait for first screen of BIOS tests to complete.
4. As soon as this screen disappears, start hitting Ctrl-Break repeatedly,
interrupting the LILO timeout.
5. Once the screen goes blank a second time (while the LILO GUI is rendered),
rapidly hit the up and down arrows, scrolling through the LILO GUI menu options.
6. You should be left with a pretty Mandrake 9 LILO GUI, with your fingers
rapidly keeping the stupid thing from timing out.
7. Continue to repeatedly hit the up and down arrows until you are prepared for
the next key sequence.
8. Quickly! Hit escape, clearing the LILO GUI, and returning you to the text
LILO: prompt... the screen will go black momentarily, while the LILO GUI is
cleared. Don't wait for the prompt to appear, immediately type
"linux init=/bin/bash" and hit enter. In short, the sequence would be:
ESC - linux init=/bin/bash - ENTER
9. The system will load the kernel and boot directly into a root shell.
10. Remount the root file system read-write with: mount -o remount,rw /
Now that you have a shell, you can open the system in a variety of ways. For
starters, "passwd root". (Consider backing up /etc/shadow first, though)

Barracuda has made a mistake in not password-protecting LILO and not leaving
the timeout at 5/10 of a second. They may close this hole in the future, so be
weary of any future "firmware" updates.

With a root shell, you are free to eradicate the system of creepy iptables nat
firewall forwarding, unknown shell passwords, etc. Install FTP! Manage your OWN
static-routes! Promote knowledge sharing, open source, and open standards!
Customize their software inside
/home/emailswitch/code/firmware/current/web/cgi-bin ! It's your box, you paid
for it, do with it what you will.

When I started working with the Barracuda evaluation unit, I, at no point was ever
presented with any EULA, paper, electronic or otherwise, forbidding the
use/misuse of the device in the manner described here. Much like moding
XBoxes, they may try to find a way to determine that this is somehow illegal.
At this time, I have not seen anything forbidding any of the activities
explained here.

Use this information at your own risk. It is meant for learning and exploring
how the device works - and doesn't - (see "Hacker") and not for the
purpose of destroying, pirating, or otherwise abusing (see "Cracker") the
company or it's products.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    4 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close