what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Sep 5, 2005
Authored by Francois Harvey | Site securiweb.net

The Barracuda Spam Firewall Appliance firmware versions 3.1.17 and below suffer from directory traversal, remote command execution, and password retrieval vulnerabilities.

tags | exploit, remote, vulnerability
SHA-256 | 42ec53e2eb500afc8a902f37140fda794ff5018657eb32d4ce443924ae4d2560


Change Mirror Download
ID :                    2005.1
Product : Barracuda Spam Firewall Appliance
Vendor : Barracuda networks
Affected product : firmware <= 3.1.17
Class : Directory Traveral, Remote Execution, Password
Remote : yes
local : na
Author : Francois Harvey <fharvey at securiweb dot net>
Published date : 01/09/2005 (Initial Vendor contact 2005-06-14)
Solution : Install Firmware 3.1.18
Reference URL :


A remote "Directory Traversal" and "Remote Execution" vulnerability
exist in Barracuda Spam Firewall appliance from Barracuda Networks
(barracudanetworks.com). In the script "/cgi-bin/img.pl", used to show
graph, the value of the "f" (filename) parameters is not sanitized.

No authentification is required to exploit this remote vulnerability

Other vulnerabilies exist in the advanced utilities section but admin
privilege is needed.
Affected product

* Tested on Barracuda Spam Firewall firmware v.3.1.16 / v.3.1.17

Note: on the spyware edition img.pl is present but not executable
Note: on firmware 3.3.* the img.pl is img.cgi and they fixed the

* Arbitrary file reading (as uid of the webserver)
* Arbitrary file execution (as uid of the webserver)
* Full reading of the system configuration
* Audit of the Barracuda Spam firewall

Vulnerability #1

As see below the img.pl script try to unlink the file after the reading.
The webserver user (nobody) should not have a lot of delete permission
but you have been warned.

In /cgi-bin/img.pl scripts

my $file_img="/tmp/".CGI::param('f');
open (IMG, $file_img) or die "Could not open image because: $!\n";
unlink ($file_img);

The "magic" perl open function can also be used to execute commands. If
the string finish by | the script will execute the command and pipe the
output to the IMG file descriptor.

file retreivial :

remote execution :

This vulnerability can be used to extract the admin password (see proof
of concept)

Vulnerability #2

In the utility section, it's possible to call some process to
troubleshoot the Barracuda. In the command list we can use Dig and
Tcpdump ( /cgi-bin/dig_device.cgi and /cgi-bin/tcpdump_device.cgi). The
input string is validate with a list of valid char but both dig and
tcpdump allow filesystem operation with standard parameters.

Dig :

The -f option makes dig operate in batch mode by reading a list of
lookup requests to process from the file filename.

Tcpdump :

-r Read packets from file (which was created with the -w option).
Standard input is used if file is ``-''.
-w Write the raw packets to file rather than parsing and printing
them out. They can later be printed with the -r option.
dard output is used if file is ``-''.

As the use of some character is prohibited, we can only interact with
the current directory.

Using -f <some_file_in_the_cgi-bin-directory> in the dig edit box allow
the partial reading of source code. (grep DiG to reconstruct the code)

Using -r in tcpdump edit box allow only a reading of a valid pcap file
but we can know if a file exist.

Using -w in tcpdump edit box should overwrite file in the cgi-bin
directory. (not tested)

Proof of concept


* The config is in /home/emailswitch/code/config/current.conf
* The config key for the password is system_password
* The password is in clear text (!!)
* The IP ACL for admin authentification is the config key :
* it's possible to desactivate for ~5 minutes the IP ACL (hint :
look for the shell using by the user sa)

Firmware update 3.1.18 fix this issue

Francois Harvey <fharvey at securiweb dot net>
Security Analyst
SecuriWeb inc.


2005-06-14 : Initial vendor contact
2005-06-14 : Initial feedback from Barracuda Networks
2005-07-* : Firmware 3.1.18 resolved this issue
2005-08-17 : Confirmation to disclose the vulnerability
2005-09-01 : Public disclosure

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By