Home page logo
/

bugtraq logo Bugtraq mailing list archives

Barracuda Networks Backup Appliance Application - Persistent Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Thu, 27 Feb 2014 00:23:42 +0100

Document Title:
===============
Barracuda Networks Backup Appliance Application - Persistent Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=784

BARRACUDA NETWORK SECURITY ID: BNSEC-885


Release Date:
=============
2014-02-26


Vulnerability Laboratory ID (VL-ID):
====================================
784


Common Vulnerability Scoring System:
====================================
3.5


Product & Service Introduction:
===============================
Barracuda Backup Service is a complete and affordable data backup solution. The Barracuda Backup 
Server provides a full local data backup and is combined with a storage subscription to replicate 
data to two offsite locations. This approach provides the best of both worlds - onsite backups for 
fast restore times and secure, offsite storage for disaster recovery. Block level deduplication is 
applied inline to reduce traditional backup storage requirements by 20 to 50 times while also 
reducing backup windows and bandwidth requirements. Cloud Storage with Deduplication

Barracuda Backup Subscription plans provide diverse offsite storage at affordable monthly fees that 
scale to meet increasing data requirements.

    * Secure backup to two geo-separate data centers
    * Deduplicated efficient backup storage
    * Redundant disk-based storage
    * Best-of-breed data retention policies
    * Web interface multi-location management
    * Restore by Web, FTP and Windows software

(Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/backup_overview.php)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Barracuda Networks 
Backup appliance web-application.


Vulnerability Disclosure Timeline:
==================================
2013-12-02:     Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-12-04:     Vendor Notification (Barracuda Networks Security Team)
2013-12-08:     Vendor Response/Feedback (Barracuda Networks Security Team)
2014-02-17:     Vendor Fix/Patch (Barracuda Networks Developer Team)
2014-02-26:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent web vulnerability has been discovered in the official Barracuda Networks Backup appliance web-application.
The bugs allows remote attackers to inject own malicious script code on the application side (persistent) of the 
service.

The persistent vulnerability is located in the `remote_host` value of the `Extern Backup` module. Remote attackers are 
able 
to inject via POST method request own malcious script codes as remote_host. The result is the persistent 
(application-side) 
execution out in the vulnerable remote_host list module. The attack vector is persistent on the application-side and 
the 
request method to inject is POST. The security risk of the persistent input validation web vulnerability is estimated 
as 
medium with a cvss (common vulnerability scoring system) count of 3.5(+)|(-)3.6.

Exploitation of the persistent web vulnerability requires low user interaction and a low privileged web-application 
appliance 
user account. Successful exploitation of the vulnerability results in persistent session hijacking (admin/auditor), 
persistent 
phishing (application-side), persistent external redirect and persistent manipulation of affected or connected 
vulnerable modules.

Request Method(s):
                                [+] POST

Vulnerable Section(s):
                                [+] Jetz Sichern

Vulnerable Module(s):
                                [+] Extern Backup > Ziel hinzufügen (Add Target) - Listing 

Vulnerable Parameter(s):
                                [+] remote_host (Exception-Handling) - Error (Invalid)


Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by remote attacker with low privileged application user 
account and 
low required user interaction. For demonstration or reproduce ...

Review: Jetz Sichern > Extern Backup > Ziel hinzufügen > [remote_host] > Listing 

<div class="fieldGroupInfo">You can optionally choose a Backup Server from your account to load the required info 
automatically, 
or enter it manually.</div>

<div class="fieldGroupError"></div>
</div>
<div class="replication_wrapper">
<div class="fieldGroup  statusError"><label class="ultraform_label">Ziel-IP-Adresse:</label>
<span><div class="alba-placeholder" style="position: absolute; background: none repeat scroll 0% 0% transparent; 
border-color: transparent; border-style: solid; height: 17px; width: 241px; padding: 2px 3px; font-size: 13px; 
font-family: 
Arial,'Liberation Sans',FreeSans,sans-serif; font-weight: 400; font-style: normal; letter-spacing: normal; line-height: 
16px; 
text-align: start; text-decoration: none; border-width: 1px; vertical-align: middle; cursor: text; overflow: hidden; 
text-overflow: 
ellipsis; white-space: nowrap; -moz-user-select: none; color: rgba(0, 0, 0, 0.35); top: 79px; left: 268px; display: 
none;">
Ziel-Hostname oder IP-Adresse</div><input _placeholder="Ziel-Hostname oder IP-Adresse" size="35" 
name="remote_host" value="">"<iframe src=a>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!];) <" content_source="" 
id="remote_host" type="text">
</span><span class="fieldGroupStatus"> </span>
<div class="fieldGroupInfo">Geben Sie die IP-Adresse oder den Hostnamen des Ziel-Backup-Servers ein. Die Adresse muss 
von diesem Backup 
Server aus erreichbar sein. Alternative Portnummern können angegeben werden. Beispiel: 192.168.1.2:5001</div>
<div class="fieldGroupError">Sie haben keine Erlaubnis zum Hinzufügen oder Editieren von Ziel-Backup-Servern.</div>
</div>


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the remote_host value in the `Extern Backup` module of 
the `Ziel hinzufügen` function.
Restrict the remote_host input fields and filter the POST method request after the regular mask validation to prevent 
script code injection attacks.


Security Risk:
==============
The security risk of the persistent web vulnerability is estimated as medium because of  the location in the 
remote_host exception-handling.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com            - admin () evolution-sec 
com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a 
permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]


-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com



  By Date           By Thread  

Current thread:
  • Barracuda Networks Backup Appliance Application - Persistent Web Vulnerability Vulnerability Lab (Feb 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]